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Preface 



This volume contains the papers presented at TABLEAUX’98, the International 
Conference on Analytic Tableaux and Related Methods, held on May 5-8, 1998 
in Oisterwijk (conference centre Boschoord), near Tilburg, The Netherlands. 
This conference was a continuation of international workshops/conferences on 
Theorem Proving with Analytic Tableaux and Related Methods held in Lauten- 
bach near Karlsruhe (1992), Marseille (1993), Abingdon near Oxford (1994), St. 
Goar near Koblenz (1995), Terrasini near Palermo (1996), and Pont-a-Mousson 
near Nancy (1997). 

Tableau methods have been found to be a convenient formalism for automating 
deduction in various non-standard logics as well as in classical logic. Areas of 
application include verification of software and computer systems, deductive da- 
tabases, knowledge representation and its required inference engines, and system 
diagnosis. 

The conference brought together researchers interested in all aspects - theoretical 
foundations, implementation techniques, systems development, and applications 
- of the mechanization of reasoning with tableaux and related methods. 

From the 34 papers submitted, 17 original research papers and 3 original system 
descriptions were selected by the program committee for presentation at the con- 
ference and for inclusion in these proceedings, together with the invited lectures. 
Abstracts of the tutorials have also been included. These proceedings also con- 
tain the summary of the comparison of theorem provers for modal propositional 
logics, as part of the Tableaux’98 conference, together with the contributions of 
the persons who participated in this comparison. 

As before, Tableaux’98 attracted interest from many parts of the world with 
papers from many countries. 

Acknowledgements I would like to thank Michael Franssen for his support in 
handling the many files, Kirsten van den Hoven for creating and maintaining 
the Tableaux’98 web page, Jozef Pijnenburg for his invaluable help in preparing 
the final manuscript, and all other people without whose help this conference 
would not have been possible: the authors who submitted papers, the speakers, 
the organizers of the tutorials and the comparison, the members of the program 
committee, the referees, the secretarial office of the Faculty of Philosophy of 
Tilburg University, and, last but not least, the sponsors. They made organizing 
the Tableaux’98 conference a pleasant experience. 
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Philosophical Aspects of Computerized 
Verification of Mathematics 



N.G. de Bruijn 

Department of Mathematics and Computing Science 
Eindhoven University of Technology 
PO Box 513, 5600MB Eindhoven, The Netherlands 
wsdwnbOwin .tue.nl 



Abstract. This invited lecture discusses various philosophical aspects of 
computerized verification of mathematics. Particular attention is given 
to the influences of type-theoretical verification systems. The paper is 
halfway between a full paper and an extended abstract. The reason is 
that an extensive text of a very similar lecture (Venice, 1995) is to be 
published in [7]. 



1 Introduction 

Computer aided verification has philosophical aspects. The design of a verifi- 
cation system is a product of the designer’s view on mathematics, and, on the 
other hand, the development and the usage of a verification system may reshape 
one’s philosophy. That word will be used lightheartedly here. It is not taken as 
serious professional philosophy, but just as meditation about the way one does 
one’s job. 

What used to be called philosophy of mathematics in the past was for a 
large part subject-oriented. Most people characterized mathematics by its subject 
matter, classifying it as the science of space and number. From the verification 
system’s point of view, however, subject matter is irrelevant. Verification involves 
the rules of mathematical reasoning, not the subject. 

The author’s philosophy is definitely anti-platonistic. Mathematical language 
is so perfect that it can talk coherently about things that do not exist at all (such 
discussions might even lead to proofs of their non-existence). So one should not 
claim any kind of platonistic existence of things on the sole ground that one has 
talked about them in the same style as about the real world. 

Some of the points of view displayed in this lecture are matters of taste, but 
most of them were imposed by the task of letting a machine follow what we say, 
a machine without any knowledge of our mathematical culture and without any 
knowledge of physical laws. The author’s ideas can be carried back to his design 
of the Automath system in the late 1960’s, with quite some mutual inspiration 
between the way to look upon mathematics on the one hand and the structure 
and usage of the verification system on the other. See [6] for philosophical items 
concerning Automath, and [1,2,8] for general information about the Automath 
project. 

H. de Swart (Ed.): TABLEAUX’98, LNAI 1397, pp. 1-9, 1998. 

© Springer- Verlag Berlin Heidelberg 1998 
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Such type-theoretical verification systems call for new attitudes: throughout 
the 20-th century most mathematicians had been trained to think in terms of 
untyped sets. 

2 Predominance of Language 

During the 20-th century the role played by the language of mathematics be- 
came more and more prominent. After millennia of mathematics one has finally 
reached a level of understanding that can be physically represented. Mankind 
managed to disentangle the intricate mixture of language, metalanguage and 
interpretation, isolating a body of formal, abstract mathematics that machines 
can verify completely. Machines handle language, and nothing but language. 

Philosophically, the fact that mathematics can now completely be checked 
by machines should not be underestimated. 

If a computer has to check mathematics, one has to feed it with texts and 
to request it to check whether those texts obey the rules of the game. The rules 
interpret correctness of a piece of text in the light of what was accepted earlier: 
it is the matter of correctness of a complete book. 

In our relation with the machine there is language and nothing but language. 
Machines have no idea about meaning in the usual philosophical sense. But they 
can handle “meaning” adequately if we take the word in the sense of a mapping 
from a language system into another one. 

The language of mathematics is a living organism. There have been many ca- 
ses in the past where mathematicians began talking metalanguage, making and 
proving statements about the mathematical text itself. Subsequently they ad- 
mitted such arguments as legitimate language. An example that took about the 
whole 19-th century to mature, is the acceptance of a, function as a mathematical 
object. 

Such transitions change the borderline between language and metalanguage. 
A recent case is the paradigm of “proofs as objects”, that has by no means 
settled yet in the general mathematical community. 

3 Levels of Activity 

The world of mathematics can be subdivided in several ways; here we mainly 
consider the levels of formalization involved with the full spectrum ranging from 
discovery to complete formal verification. It is like a conveyor belt where people 
are processing a mathematical product which starts as a vague idea, is transfor- 
med from stage to stage, and ends as a finished completely formal and impeccable 
text. 

This conveyor belt may employ various kinds of people. Towards the end of 
the belt, the workers have to be more meticulous, more bureaucratic, and hardly 
need to “understand” what they are working on. 

Do there always have to be different people at different stations along the 
belt? One can learn from the area of mathematics publishing, which rapidly 
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changed over the last few decades. Instead of using assistants, typists and pro- 
fessional printing people, many creative mathematicians are now desk-top pu- 
blishers themselves. 

If the theorem proving community and the proof checking community do 
their work well, one might get a similar situation for the conveyor belt. The 
belt might be handled by the creative mathematician all by himself. Automated 
theorem provers may do useful work at several places of the belt, in particular 
at the far end (the proof checking station) , where it may be left to a machine to 
fill all sorts of trivial little gaps. 

4 Teaching Mathematics 

Teaching is an essential part of the mathematician’s trade, mainly because of 
the central role of proving. To prove means to explain and to convince. 

But is teaching always completely convincing? It has often been said that ma- 
thematics is taught by intimidation, and learned by imitation. There is certainly 
some truth in this, in particular as far as it concerns the structure and basic rules 
of mathematics. Teaching hardly ever specified what definitions, assumptions, 
axioms, theorems, variables and proofs really are. 

It may be quite true that it is better not to burden beginners with such que- 
stions. But would mathematics teachers be able to explain these fundamentals 
later? Would they be able to explain them to themselves? A verification system 
forces us to be quite clear about those structural items, and may therefore have a 
positive influence on mathematics teaching. If we fail to explain the basic struc- 
ture of mathematics to a machine then it is an illusion to think that we can 
explain it, without intimidation, to a student. 



5 Influences of System Efficiency 

The development of a verification system requires quite some efficiency in order 
to cope with limited resources, in particular with restricted hardware and soft- 
ware. This has a danger: the urge for efficiency can lead to a structure one might 
deplore later on. But there can be positive effects too. The need for efficiency 
may reveal similarities, suggesting ways to treat similar things alike, making 
them even more similar than they were. 

This is illustrated by the discovery of the “proofs as objects” paradigm. If 
we want a machine to accept a particular application of a theorem, we have 
to feed it with object expressions for the variables as well as with proofs (or 
references to proofs) for the updated assumptions, and these two kinds of things 
are interwoven. In both cases we have similar dependency on parameters and 
similar substitution mechanism. At the start, attitudes with respect to objects 
and proofs are very different, but this changes under the attempts to draw full 
profit from the similarity. This gives two innovations at the same time. First, 
proofs are treated the same way as objects, and proof classes the same way as 
object types. Secondly, we notice that the proof classes depend on parameters. 




4 



N.G. de Bmijn 



SO they require dependent types, and the natural step is to allow dependent types 
for object types too. 

In the matter of efficiency, the most essential thing is preventing exponential 
growth and even quadratic growth of the time a machine needs for checking what 
we write. In order to keep in pace with the ordinary presentation of mathematics, 
we have to require linear time. It means feasibility. 



6 Influences of Systematic Notation 

If we want a machine to digest our mathematical material, we have to revise our 
notational habits occasionally. Poor notation can obstruct insight and develop- 
ment, good notation can be a stimulus for discovery, in particular since it can 
promote ideas on the metalanguage level. 

Lambda notation is an example. If it had not existed before, it would have 
been discovered at once in the first attempts to get mathematical contact with 
a machine. 



7 Natural Deduction 

One of the pillars of Automath was what is sometimes called Fitch style of 
natural deduction. It fully deserves the name “natural” since it was used by 
mathematicians long before it was ever formally described: presentation of ma- 
thematics in the form of nested blocks, where blocks are opened either by making 
an assumption or by introducing a (possibly typed) variable. 

Natural deduction follows the way people reasoned before it was tried to 
explain logic by means of an algebra of truth values. Such Boolean logic is 
metatheory of classical reasoning. It does not show what that reasoning is. It is 
silly that education in elementary logic so often takes truth values as point of 
departure. 



8 Types 

Having types is not a new idea either. On the contrary: it was the standard idea 
before the doctrine “everything is a set” emerged. In that doctrine “set” means 
“untyped set” . 

Most mathematicians may still think in terms of types today, even when 
preaching that everything is a set. 

One can get a feeling for the meaning of “type” by inspecting English sen- 
tences containing the word group “is a” . The sentence “The capital of Italy is 
a big city” expresses that “the capital of Italy” has the type “big city” . On the 
left of the group “is a” we have a string of words that has the form of a name: an 
accurate description of something, describing it uniquely; on the right we have 
a substantive group or a single substantive. 
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With this natural language interpretation in mind, one can find all sorts of 
opportunities to introduce types, thereby enriching the scope of formal mathe- 
matics. Once a verification system is ready for attaching types to things, types 
can be used in many ways, even simultaneously. An expression representing a 
particular proof of some proposition Q can be given the type “proof of Q” , an 
expression describing the construction of the centre of a circle c can be given 
the type “construction for the centre of c“. This amalgamates several worlds: 
the world of objects, the one of proofs and the one of geometrical constructions; 
in each one of these worlds things from the other worlds can play the role of 
parameters (see [3,5]). 

Types play the same role as substantives in natural language. They have 
always been used on a large scale in mathematics, but there was no tradition to 
express them in terms of symbols. Since antiquity one used symbols and com- 
posite expressions as names of objects, Leibniz and Boole began to use symbols 
to represent sentences, but for substantives such a thing was not done. Yet it 
can be profitable. In particular one can handle dependent substantives, similar 
to dependent types. 

A description of the syntax of natural mathematical language on the basis 
of sentences, substantives and names can be found in [4]. 

9 Proofs as Objects 

The ’’proofs as objects” paradigm has philosophical consequences: it is a quite 
revolutionary shift of the borderline between language and metalanguage. The 
sentence “p is a proof of Q” (where Q is some proposition and p is a proof) used 
to be metalanguage, but in a type-oriented verification system it belongs to the 
mathematical language itself, just like “a; -I- p is a rational number” . The word 
group ’’proof of Q” is used in the same way as the group “rational number”; 
both word groups can be called types. 

This principle that proofs can be treated the same way as objects has been 
given various names, like “formulas as types” and “propositions as types”. 



10 Constructivism 

Different people may give different definitions of constructivism. For some it is 
the rejection of the axiom of choice; others will say that the use of classical logic 
is non-constructive already. 

Constructivity is a point of view that accepts a particular language and a 
particular set of axioms, but refuses language extensions and further axioms or 
further primitive notions. 

It is unreasonable to ban extra axioms if one is liberal about language exten- 
sions at the same time. One can easily fool oneself: if one allows quantification 
over all propositions, it is possible to introduce the proposition that all propo- 
sitions are true, and to use that as a definition of falsum. That gives the falsum 
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rule as a theorem, and one does not have to call it an axiom any more. Nevert- 
heless one has introduced the same non-constructivity, and possibly more, in a 
disguised form. 



11 The Scope of Mathematics 

Mathematics is not just the study of numbers and geometrical figures, as it used 
to be said in the past. And it is not just set theory. 

Verification systems have a different point of view. For them, mathematics 
is anything they can verify. This is flexible, of course, since languages can be 
extended, in particular by internalizing pieces of metalanguage. 

Typed lambda calculus is capable of handling almost anything we call mathe- 
matics. It can handle types of objects, of proofs, of geometrical constructions, of 
computer programs, and whatever else might come up in the abstract sciences. 
Therefore it seems attractive to claim that mathematics is anything that can he 
handled by typed lambda calculus. 

But one can go beyond this. Lambda calculus can be extended in many ways. 
One can have extensions which allow using large pieces of text (like theories) as 
objects. 

12 Platonism 

Mathematics seems to talk about things, but do these really exist? We have 
no way to find out, and worse: we have no way to express what we mean by 
existence. Yet many people have that funny feeling of having to choose between 
existence and non-existence. 

One might call it mathematical platonism to consider the mathematician as 
a journalist, and anti-platonism to consider him as a novelist. 

Verification systems definitely put an end to platonism. The only things these 
systems deal with are language texts. These texts themselves have a certain 
physical existence: they can be represented by means of ink on paper and by 
electric or magnetic charges in computer hardware. But the things discussed by 
the texts usually lack physical existence. 

It is instructive to compare a mathematics verification system with a machine 
that simply verifies whether a given list of chess moves represents a legitimate 
game. Any sensible program achieves this by building the chess board positions 
in the machine’s memory, checking whether in each one of those positions the 
next move of the list is admitted by the rules of chess, and updating the board 
accordingly. The list of moves talks about positions, and both the list and the 
positions are physically represented. In a mathematics verification system this is 
different. Even where mathematical objects might be represented physically, the 
system does not do it. The mathematical text is judged by its internal coherence, 
irrespective of interpretations or meanings. 

Platonists and anti-platonist are alike if it comes to forming mental images, 
possibly suggesting connections with older statements with similar images. It is 
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both helpful and stimulating; it does not matter whether it is considered as fact 
or as fiction. 

As long as no use is made of the claimed existence of mathematical objects, 
platonism does no harm at all; it is just irrelevant. 

But platonism is certainly confusing for beginning mathematics students in 
the matter of the existence quantifier, where the word “existence” has a different 
meaning. 

Platonism has left its traces in the anti-platonistic world too. The idea of 
negation somehow acknowledges the platonistic idea that there is truth beyond 
provability. All mathematicians who handle classical logic agree that any state- 
ment is either true or false. Their confidence was not even shaken by the discovery 
of undecidable propositions. 

The old question whether mathematical situations are discovered or created 
is entirely a platonist’s problem. 



13 Mathematics and the Real World 

The physicist E. Wigner made a famous statement about the incredible and 
undeserved success of mathematics in explaining the real world. Mathematicians 
may find it even more remarkable that it holds in spite of the fact that a large part 
of that successful mathematics has always been immature, incomplete, unfinished 
and partially incorrect. 

But if we believe that there is a final correct mathematical description of 
the entire physical reality, Wigner’s observation gets into a new light under the 
claim that all correct mathematics can be physically represented, and that formal 
mathematical reasoning can be a very clear part of that real world. Needless to 
say, the human brain was a part of that real world all the time, but by no means 
a very clear part. 



14 Changing Roles 

There can be changes in attitudes about mathematics under the influence of the 
proofs-as-objects system. 

There is the old chicken-and-egg problem of mathematics and logic: is mathe- 
matics based on logic or is logic a branch of mathematics? If a verification system 
handles proofs as objects, the difference between logic and mathematics vanis- 
hes almost entirely. Logical fundamentals have the same form as mathematical 
axioms. Logical derivation rules can be derived, sometimes using mathematics. 
Such rules can be applied, both to logic and to mathematics. 

Traditionally, logic is just the part of mathematics that is not taught expli- 
citly at the time it should, but studied later as a kind of metatheory. Verification 
systems can change our attitudes in this matter. 

The attitudes of today’s mathematicians might be vaguely sketched by the 
roles of what shall here be called M, P, F and L. 
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M is the body of all mathematical truth: mathematical objects and their 
relations. 

P is the real physical world. All sorts of events in P seem to be reflected by 
objects and relations in M. 

F is a formal system, meticulously expressing the foundations for the esta- 
blishment of truth in M. For most people, it contains logic and the foundations 
of formal set theory. 

L is the discussion language in which we think, write and talk. It is a mixture 
of words and formulas, and usually not very formal. 

The standard attitude seems to be that L talks about M, and that F provides 
the authority. But F does not provide rules for handling the physical world. The 
relation between M and P is discussed in physics. 

Under the influence of verification systems the roles can change. It may even 
go so far that F’s authority will be taken over by some purified form of L. M 
lives on as a kind of imagined reality, giving inspiration and motivation when 
we talk L. And if we need mathematics in studying the real world, L can talk 
directly about P, without interference by M. So L can serve as a language for 
physics too. 

F becomes metatheory, not necessary for L’s authority, but possibly useful 
for studying the limits of what L can achieve. As a mathematical theory, F is 
just one of the many mathematical subjects that F can handle. 

In this picture the mathematician becomes a formalist, but there is nothing 
against it. Formalism is the essence of mathematics, as all non-mathematicians 
know. Over the years the word “formalist” got a negative connotation, it even 
became an insult. Wrongly: the emotional dividing line should not be drawn 
between non-formalism and formalism, but between formalism and bureaucratic 
formalism. A bureaucratic formalist is someone who applies rules meticulously 
without higher motives like “imagination” , “meaning” , “sense” and “beauty” . 
In that sense the machine is a bureaucratic formalist, and we ourselves try to 
avoid becoming one. 



15 Absolute Safety? 

Formal verification does not lead to absolute safety. Who checks the checker 
and the checking program? The program may be compared to its specifications, 
but who checks the specifications? The only thing we can do is to require the 
specifications and checkers to be exceedingly simple and transparent. 

For a part of the problem there is an obvious way out: one can take a verifi- 
cation program itself as the definition of correctness. That is about the same as 
what seems to have been the general norm in the past: a thing was correct if and 
only if meticulous human verification found no flaws. But there is an important 
difference: in the human case there used to be no explicitly stated rules for such 
verification. 
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One has to be modest, but nevertheless it can be claimed that a simple and 
transparent computerized verification system can check human-made mathema- 
tics much more dependable than humans themselves could ever do. 

16 What is a Proof? 

Verification systems insist on formal proofs. It is reasonable to ask whether this is 
really the only thing there is. What one often expects from a proof is that it gives 
confidence. As an example we imagine some theorem t and we imagine that we 
have a metatheoretical proof q for the statement that there exists a piece of text 
r which our verification system will accept as a proof for t. This gives confidence, 
yet we do not have a proof for t, as long as we do not actually “have” r. 

We cannot claim that with the acceptance of a verification system we have 
finally settled the question about what a proof is, but anyway we have raised 
the discussion to a higher level. 
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Abstract. How can we understand reasoning in general and mathema- 
tical proofs in particular? It is argued that a high-level understanding 
of proofs is needed to complement the low-level understanding provided 
by Logic. A role for computation is proposed to provide this high-level 
understanding, namely by the association of proof plans with proofs. Cri- 
teria are given for assessing the association of a proof plan with a proof. 



1 Motivation: The Understanding of Mathematical Proofs 

We argue that Logic^ is not enough to understand reasoning. It provides only a 
low-level, step by step understanding, whereas a high-level, strategic understan- 
ding is also required. Many commonly observed phenomena of reasoning cannot 
be explained without such a high-level understanding. Furthermore, automatic 
reasoning is impractical without a high-level understanding. 

We propose a science of reasoning which provides both a low- and a high- 
level understanding of reasoning. It combines Logic with the concept of proof 
plans, [Bundy, 1988]. We illustrate this with examples from mathematical rea- 
soning, but it is intended that the science should eventually apply to all kinds 
of reasoning. 



2 The Need for Higher-Level Explanations 

A proof in a logic is a partially ordered set of formulae where each formula in 
the set is either an axiom or is derived from earlier formulae in the set by a rule 
of inference. Each mathematical theory defines what it means to be a formula, 
an axiom or a rule of inference. Thus Logic provides a low-level explanation of a 
mathematical proof. It explains the proof as a sequence of steps and shows how 

* The research reported in this paper was supported by EPSRC grant GR/L/11724. 
I would like to thank two anonymous referees and other members of the mathema- 
tical reasoning group at Edinburgh for feedback, especially Richard Boulton, Mitch 
Harris, Colin Phillips, Frank van Harmelen and Toby Walsh. The full version of this 
extended abstract appeared in [Bundy, 1991]. 

^ We adopt the convention of using uncapitalised ‘logic’ for the various mathematical 
theories and capitalised ‘Logic’ for the discipline in which these logics are studied. 
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each step follows from previous ones by a set of rules. Its concerns are limited to 
the soundness of the proof, and to the truth of proposed conjectures in models 
of logical theories. 

While Logic provides an explanation of how the steps of a proof fit together, it 
is inadequate to explain many common observations about mathematical proofs. 

— Mathematicians distinguish between understanding each step of a proof and 
understanding the whole proof. 

— Mathematicians recognise families of proofs which contain common struc- 
ture. 

— Mathematicians distinguish between ‘interesting’ and ‘standard’ steps of a 
proof. 

— Mathematicians describe proofs to each other at different levels of detail. 
Their high level descriptions contain only very brief summaries of standard 
steps but give more detail about the interesting ones. 

— Mathematicians use their experience of previously encountered proofs to help 
them discover new proofs. 

— Mathematicians often have an intuition that a conjecture is true, but this 
intuition is fallible. 

— Students of mathematics, presented with the same proofs, learn from them 
with varying degrees of success. 



3 Common Structure in Proofs 

Several researchers in automatic theorem proving have identified common struc- 
ture in families of proofs. For instance, 

— [Bundy & Welham, 1981] describes the common structure in solutions to 
symbolic equations. This common structure was implemented in a process 
of meta-level inference which guided the search for solutions to equations. 

— [Bundy et al, 1988] describes the common structure in inductive theorems 
about natural numbers, lists, etc. This common structure was implemented 
as an inductive proof plan which was used to guide the search for proofs of 
such theorems. 

— [Bledsoe et al, 1972] describes the common structure in theorems about li- 
mits of functions in analysis. This common structure was implemented as 
the limit heuristic and used to guide the search for proofs of such theorems. 

— [Wos & McCune, 1988] describes the common structure in attempts to find 
fixed-points combinators. This common structure was implemented as the 
kernel method and used to guide the search for such fixed-points. 

— [Polya, 1965] describes the common structure in ruler and compass construc- 
tions. This common structure was implemented by [Funt, 1973] and used to 
guide the search for such constructions. 

— [Huang et al, 1995] and [Gow, 1997] describe the common structure in dia- 
gonalization proofs. This common structure has been implemented (twice) 
as a diagonalization proof plan and used to guide the proofs of a variety of 
theorems. 
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4 Proof Plans 

Common structure in proofs can be captured in proof plans. These proof plans 
are represented by three kinds of computational object: 

Tactics: are computer programs which construct part of a proof by applying 
rules of inference in a theorem proving system. A simple tactic might apply 
only a single rule of inference; a compound tactic will be defined in terms of 
simpler tactics and might construct a whole proof. 

Methods: are logical specifications of tactics. In particular, a method describes 
the preconditions for the use of a tactic and the effects of using it. These 
preconditions and effects are syntactic properties of the logical expressions 
manipulated by the tactic and are expressed in a meta-logic. 

Critics: capture common patterns of failure of methods and suggest patches 
to the partial proof. A critic is associated with a method and is similar in 
structure, except that its preconditions describe a situation in which the 
method fails. Instead of effects it has instructions on how to patch the failed 
proof plan. 

A proof planner uses the methods to construct a customised tactic for the 
current conjecture. It combines general-purpose tactics so that the effects of ear- 
lier ones achieve the preconditions of later ones. The specifications of the tactics, 
which the methods provide, enable the proof planner to conduct meta-level infe- 
rence which matches problems to the tactics which are best placed to solve them. 
The customised tactic constructed by the proof planner is input to a theorem 
prover which uses it to try to prove the conjecture. 

In general, a complete specification of a tactic is not obtainable. So the proof 
planning process is fallible. Using critics we may be able to recover from an in- 
itial failure. For instance, the preconditions of a method may succeed, but those 
of one its sub-methods fail. In this case a critic associated with the sub-method 
may suggest a patch to the proof plan. Each sub-method may have several as- 
sociated critics, corresponding to different failure patterns of its preconditions. 
Each critic will suggest a different way to patch the proof. So the form of proof 
failure suggests an appropriate patch. This productive use of failure via critics 
is made possible by proof planning and is one of its most powerful features, 
[Ireland & Bundy, 1996]. 

Proof plans have been implemented at Edinburgh in the Oyster-CIAM sy- 
stem, [Bundy et al, 1990], and at Saarbriicken in the Iomega system, [Benzmiiller 
et al, 1997]. Oyster is a theorem prover for Intuitionist Type Theory. CLAM is 
a plan formation program which has access to a number of general-purpose me- 
thods and critics for inductive proofs. CLAM constructs a special-purpose tactic 
for each conjecture by reasoning with its methods and critics. This specialised 
tactic is then executed by Oyster, constructing a proof. Iomega works in a si- 
milar way. The search for a proof plan at the meta-level is considerably cheaper 
than the search for a proof at the object-level. This makes proof plans a practical 
solution to the problems of search control in automatic theorem proving. 

5 The High-Level Understanding of Proofs 

Thus a high-level explanation of a proof of a conjecture is obtained by associating 
a proof plan with it. The tactic of this proof plan must construct the proof. The 
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method of this proof plan must describe both the preconditions which made 
this tactic appropriate for proving this conjecture and the effects of this tactic’s 
application on the conjecture. It must also describe the role of each sub-tactic in 
achieving the preconditions of later sub-tactics and the final effects of the whole 
tactic. 

In fact, this association provides a multi-level explanation. The proof plan 
associated with the whole proof provides the top-level explanation. The imme- 
diate sub-tactics and sub-methods of this proof plan provide a medium-level 
explanation of the major sub-proofs. The tactics and methods associated with 
individual rules of inference provide a bottom-level explanation, which is similar 
to that already provided by Logic. 

The general-purpose tactics and methods which we will use to build proof 
plans, and the association of proof plans with proofs will constitute the theories 
of our science of reasoning. This extends the way in which logical theories and 
the association of logical proofs with real proofs and arguments, constitute the 
theories of Logic (especially Philosophical Logic). Just as Logic also has meta- 
theories about the properties of and relations between logical theories, we may 
also be able to develop such meta-theories about proof plans. 

6 What Is the Nature of Our Science of Reasoning? 

Before we can dignify this proposed study of the structure of proofs with the 
epithet science we must address a fundamental problem about the nature of such 
a science. Traditional sciences like Physics and Chemistry study physical objects 
and the way they interact. The subject of our proposed science is proof plans. 
But proof plans are not physical objects. If they can be said to exist at all it is in 
the minds of mathematicians proving theorems, teachers explaining proofs and 
students understanding them. Physicists assume that the electrons in the apple 
I am eating as I write are essentially the same as the electrons in some distant 
star. But proof plans will differ from mind to mind and from time to time. There 
will be billions of such proof plans. Are we doomed merely to catalogue them 
all? Given the difficulty of discovering the nature of even one such proof plan, 
what a difficult and ultimately pointless task this would be. We would prefer to 
narrow our focus on a few representative proof plans. But on what basis could 
these few be chosen? 

Fortunately, this is not a new problem. It is one faced by all human sciences 
to some extent and it is one that has been solved before. Consider the science 
of Linguistics. In Linguistics the theories are grammars and the association of 
grammatical structure with utterances. Linguists do not try to form different 
grammars for each person, but try to form a grammar for each language, cap- 
turing the commonality between different users of that language. They try to 
make these grammars as parsimonious as possible, so that they capture the ma- 
ximum amount of generality within and between languages. Linguists do not 
claim that everyone or anyone has these target grammars stored in their head 
— nor, indeed, that anyone has a grammar at all — only that they specify the 
grammatical sentences of the language. 

Another example is Logic itself. Again judged by the arguments people pro- 
duce, the logical laws differ between minds and vary over time. Logicians do 
not try to capture this variety, but confine themselves to a few logics which 
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specify ‘correct’ arguments. As with grammatical sentences, correct arguments 
are identified by initial observation of arguments actually used and consultation 
with experts to decide which of these are correct. 

I place our proposed science of reasoning between Linguistics and Logic. 
Proof plans are more universal than grammatical rules, but it is possible to as- 
sociate different, equally appropriate proof plans with the same proof. The study 
of proof plans appeals both to an empirical study of the way in which mathema- 
ticians structure their proofs and to reflection on the use of logical laws to put 
together proofs out of parts. 

Thus there are strong precedents for a science that takes mental objects as 
its domain of study and tames the wide diversity of exemplars by imposing a 
normative explanation informed by reflection and empirical study. It only re- 
mains to propose criteria for associating proof plans with proofs that will enable 
us to prefer one proof plan to another. This we can do by appealing to general 
scientific principles. Our proposals are given in the next section. 



7 Criteria for Assessing Proof Plans 

If there were no criteria for the association of proof plans with proofs, then we 
could carry out our programme by associating with each proof an ad hoc tactic 
consisting of the concatenation of the rules of inference required to reproduce it, 
and constructing an ad hoc method in a similar way. This would not go beyond 
the existing logical explanation. 

The only assessment criterion we have proposed so far is correctness, i.e. that 
the tactic of the proof plan associated with a proof will construct that proof when 
executed. We now discuss some other possible criteria. 

— Psychological Validity: a proof plan gets more credit if there is experimental 
evidence that all, most or some mathematicians producing or studying pro- 
ofs also structured a proof in the way suggested by some proof plan. This 
criterion is only applicable if we are trying to model human reasoning, but 
it can be suggestive even when we are not. 

— Expectancy: a proof plan gets more credit if it provides some basis for pre- 
dicting whether it will succeed. 

~ Generality: a proof plan gets credit from the number of proofs or sub-proofs 
with which it is associated and for which it accounts. 

— Prescriptiveness: a proof plan gets more credit the less search its tactic ge- 
nerates and the more it prescribes exactly what rules of inference to apply. 

— Simplicity: a proof plan gets more credit for being succinctly stated. 

— Efficiency: a proof plan gets more credit when its tactic is computationally 
efficient. 

— Parsimony, the overall theory gets more credit the fewer general-purpose 
proof plans are required to account for some collection of proofs. 

Initially, a proof plan may be suggested by its author’s intuition of how s/he 
proved some theorems, perhaps augmented by more or less formal studies of 
other mathematicians. The criteria of correctness, expectancy, generality, pre- 
scriptiveness, simplicity, efficiency and parsimony can then be used to generalise 
and refine it. 
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8 The Role of the Computer 

So far we have not involved the computer in this methodological discussion. One 
might expect it to play a central role. In fact, computers have no role in the 
theory^ but play an important practical role. Computation plays a central role in 
the theory, because the tactics are procedures and they are part of the theory of 
our science of reasoning. It is not, strictly speaking, necessary to implement these 
tactics on a computer, since they can be executed by hand. However, in practice, 
it is highly convenient. It makes the process of checking that the tactics meet 
the criteria of §7 both more efficient and less error prone. Machine execution is 
convenient: 

— for speeding up correctness testing, especially when the proof plans are long, 
or involve a lot of search, or when a large collection of conjectures is to be 
tested; 

— to automate the gathering of statistics, e.g. on size of search space, execution 
time, etc; 

— to ensure that a tactic has been accurately executed; and 

— to demonstrate to other researchers that the checking has been done by a 
disinterested party. 

In this way the computer can assist the rapid prototyping and checking of hypo- 
thesised proof plans. Furthermore, in its ‘disinterested party’ role, the computer 
acts as a sceptical colleague, providing a second opinion on the merits of hypothe- 
sised proof plans that can serve as a source of inspiration. Unexpected positive 
and negative results can cause one to revise ones current preconceptions. 



9 The Relation to Automatic Theorem Proving 

Although our science of reasoning might find application in the building of high 
performance, automatic theorem provers, the two activities are not co-extensive. 
They differ both in their motivation and their methodology. 

I take the conventional motivation of automatic theorem proving to be the 
building of theorem provers which are empirically successful, without any ne- 
cessity to understand why. The methodology is implied by this motivation. The 
theorem prover is applied to a random selection of theorems. Unsuccessful search 
spaces are studied in a shallow way and crude heuristics are added which will 
prune losing branches and prefer winning ones. This process is repeated until 
the law of diminishing returns makes further repetitions not worth pursuing. 
The result is fast progress in the short term, but eventual deadlock as different 
proofs pull the heuristics in different directions. This description is something 
of a caricature. No ATP researchers embody it in its pure form, but aspects of 
it can be found in the motivation and methodology of all of us, to a greater or 
lesser extent. 

Automatic theorem provers based on proof plans make slower initial progress. 
Initial proof plans have poor generality, and so few theorems can be proved. The 
motivation of understanding proofs mitigates against crude, general heuristics 
with low prescriptiveness and no expectancy. The ‘accidental’ proof of a theorem 
is interpreted as a fault caused by low prescriptiveness, rather than a lucky break. 
However, there is no eventual deadlock to block the indefinite improvement of 
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the theorem prover’s performance. If two or more proof plans fit a theorem then 
either they represent legitimate alternatives both of which deserve attempting or 
they point to a lack of prescriptiveness in the preconditions which further proof 
analysis should correct. 

Thus, we expect a science of reasoning will help us build better automatic 
theorem proving programs in the long term, although probably not in the short 
term. 

10 Conclusion 

In this paper we have proposed a methodology for reaching a multi-level under- 
standing of mathematical proofs as part of a science of reasoning. The theories 
of this science consist of a collection of general-purpose proof plans, and the as- 
sociation of special-purpose proof plans with particular proofs. Each proof plan 
consists of a tactic and a method which partially specifies it. Special-purpose 
proof plans can be constructed by a process of plan formation which entails rea- 
soning with the methods of the general-purpose proof plans and critics which 
provide standard patches for commonly occurring failure patterns. 

Ideas for new proof plans can be found by analysing mathematical proofs 
using our intuitions about their structure and, possibly, psychological expe- 
riments on third party mathematicians. Initial proof plans are then designed 
which capture this structure. These initial proof plans are then refined to im- 
prove their expectancy, generality, prescriptiveness, simplicity, efficiency and par- 
simony. Scientific judgement is used to find a balance between these sometimes 
opposing criteria. Computers can be used as a workhorse, as a disinterested party 
to check the criteria and as a source of inspiration. 

Proof planning can be applied to automatic theorem proving as a heuristic 
technique for proof search. It may also be used in interactive theorem proving 
to improve the communication with the user. The proof can be automatically 
divided into manageable chunks and the relationships between these chunks can 
be described in terms of the preconditions and effects of the tactics. Lastly, proof 
plans may find some role in mathematical education as a basis for structuring 
the proof and describing the process of proof discovery. 

The design of general-purpose proof plans and their association with par- 
ticular proofs is an activity of scientific theory formation that can be judged 
by normal scientific criteria. It requires deep analysis of mathematical proofs, 
rigour in the design of tactics and their methods, and judgement in the selection 
of those general-purpose proof plans with real staying power. Our science of rea- 
soning is normative, empirical and reflective. In these respects it resembles other 
human sciences like Linguistics and Logic. Indeed it includes parts of Logic as a 
sub-science. 

Personal Note 

For many years I have regarded myself as a researcher in automatic theorem 
proving. However, by analysing the methodology I have pursued in practice, I 
now realise that my real motivation is the building of a science of reasoning in 
the form outlined above. Now that I have identified, explicitly, the science in 
which I have been implicitly engaged, I intend to pursue it with renewed vigour. 
I invite you to join me. 
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Abstract. Model checking is an antomatic verification technique for 
finite state concurrent systems such as sequential circuit designs and 
communication protocols. Specifications are expressed in propositional 
temporal logic. An exhaustive search of the global state transition graph 
or system model is used to determine if the specification is true or not. 
If the specification is not satisfied, a counterexample execution trace 
is generated if possible. By encoding the model using Binary Decision 
Diagrams (BDDs) it is possible to search extremely large state spaces 
with as many as 10^^° reachable states. In this paper we describe the 
theory underlying this technique and outline its historical development. 
We demonstrate the power of model checking to find subtle errors by 
verifying the Space Shuttle Three-Engines-Out Contingency Guidance 
Protocol. 



1 Introduction 

Logical errors found late in the design phase are an extremely important problem 
for both circuit designers and programmers. During the past few years, resear- 
chers at Carnegie Mellon University have developed an alternative approach to 
verification called temporal logic model checking [10,11]. In this approach spe- 
cifications are expressed in a propositional temporal logic, and circuit designs 
and protocols are modeled as state-transition systems. An efficient search proce- 
dure is used to determine automatically if the specifications are satisfied by the 
transition systems. 

Model checking has several important advantages over mechanical theorem 
provers or proof checkers for verification of circuits and protocols. The most 
important is that the procedure is completely automatic. Typically, the user 
provides a high level representation of the model and the specification to be 
checked. The model checking algorithm will either terminate with the answer 
true, indicating that the model satisfies the specification, or give a counterexam- 
ple execution that shows why the formula is not satisfied. The counterexamples 

* This research is sponsored by the the Semiconductor Research Corporation (SRC) 
under Contract No. 97-DJ-294, the National Science Foundation (NSF) under Grant 
No. CCR-9505472, and the Defense Advanced Research Projects Agency (DARPA) 
under Contract No. DABT63-96-C-0071. Any opinions, findings and conclusions or 
recommendations expressed in this material are those of the authors and do not 
necessarily reflect the views of SRC, NSF, DARPA, or the United States Government. 
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are particularly important in finding subtle errors in complex transition systems. 
The procedure is also quite fast, and usually produces an answer in a matter of 
minutes or even seconds. Partial specifications can be checked, so it is unneces- 
sary to specify the circuit completely before useful information can be obtained 
regarding its correctness. Finally, the logic used for specifications can directly 
express many of the properties that are needed for reasoning about concurrent 
systems. 

The main disadvantage of this technique is the state explosion which can 
occur if the system being verified has many components that can make tran- 
sitions in parallel. Recently, however, the size of the transition systems that 
can be verified by model checking techniques has increased dramatically. The 
initial breakthrough was made in the fall of 1987 by McMillan, who was then 
a graduate student at Carnegie Mellon. He realized that using an explicit re- 
presentation for transition relations severely limited the size of the circuits and 
protocols that could be verified. He argued that larger systems could be handled 
if transition relations were represented implicitly with ordered binary decision 
diagrams (OBDDs) [6]. By using the original model checking algorithm with the 
new representation for transition relations, he was able to verify some examples 
that had more than 10^° states [9,21]. He made this observation independently 
of the work by Coudert, et. al. [12] and Pixley [23,24,25] on using OBDDs to 
check equivalence of deterministic finite-state machines. Since then, various refi- 
nements of the OBDD-based techniques by other researchers at Carnegie Mellon 
have pushed the state count up to more than 10^^° [7]. 

2 Temporal Logic Model Checking 

Pnueli [26] was the first to use temporal logic for reasoning about the concur- 
rent programs. His approach involved proving properties of the program under 
consideration from a set of axioms that described the behavior of the individual 
statements in the program. The introduction of temporal logic model checking 
algorithms in the early 1980’s allowed this type of reasoning to be automated. 
Since checking that a single model satisfies a formula is much easier than proving 
the validity of a formula for all models, it was possible to implement this tech- 
nique very efficiently. The first algorithm was developed by Clarke and Emerson 
in [10]. Their algorithm was polynomial in both the size of the model determi- 
ned by the program under consideration and in the length of its specification in 
Computational Tree Logic (CTL). They also showed how fairness could be hand- 
led without changing the complexity of the algorithm. This was an important 
step since the correctness of many concurrent programs depends on some type 
of fairness assumption; for example, absence of starvation in a mutual exclu- 
sion algorithm may depend on the assumption that each process makes progress 
infinitely often. 

At roughly the same time Quielle and Sifakis [27] gave a model checking 
algorithm for a similar branching-time logic, but they did not analyze its com- 
plexity or show how to handle an interesting notion of fairness. Later Clarke, 
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Emerson, and Sistla [11] devised an improved algorithm that was linear in the 
product of the length of the formula and in the size of the global state graph. 
Sistla and Clarke [28] also analyzed the model checking problem for a variety of 
other temporal logics and showed, in particular, that for linear temporal logic 
the problem was PSPACE complete. 

A number of papers demonstrated how the temporal logic model checking 
procedure could be used for verifying network protocols and sequential circuits 
([2], [3], [4], [5], [11], [15], [22]). Early model checking systems were able to check 
state-transition graphs with between 10^ and 10® states at a rate of about 100 
states per second. In spite of these limitations, model checking systems were 
used successfully to find previously unknown errors in several published circuit 
designs. 

Alternative techniques for verifying concurrent systems were proposed by a 
number of other researchers. The approach developed by Kurshan [17,18] was 
based on checking inclusion between two automata. The first machine represen- 
ted the system that was being verified; the second represented its specification. 
Automata on infinite tapes (w-automata) were used in order to handle fairness. 
Pnueli and Lichtenstein [20] reanalyzed the complexity of checking linear-time 
formulas and discovered that although the complexity appears exponential in 
the length of the formula, it is linear in the size of the global state graph. Based 
on this observation, they argued that the high complexity of linear-time model 
checking might still be acceptable for short formulas. Emerson and Lei [16] ex- 
tended their result to show that formulas of the logic CTL*, which combines 
both branching-time and linear-time operators, could be checked with essenti- 
ally the same complexity as formulas of linear temporal logic. Vardi and Wolper 
[29] showed how the model checking problem could be formulated in terms of 
automata, thus relating the model checking approach to the work of Kurshan. 



3 New Implementations 

In the original implementation of the model checking algorithm, transition rela- 
tions were represented explicitly by adjacency lists. For concurrent systems with 
small numbers of processes, the number of states was usually fairly small, and 
the approach was often quite practical. Recent implementations [9,21] use the 
same basic algorithm; however, transition relations are represented implicitly by 
ordered binary decision diagrams (OBDDs) [6]. OBDDs provide a canonical form 
for boolean formulas that is often substantially more compact than conjunctive 
or disjunctive normal form, and very efficient algorithms have been developed for 
manipulating them. Because this representation captures some of the regularity 
in the state space determined by circuits and protocols, it is possible to verify 
systems with an extremely large number of states — many orders of magnitude 
larger than could be handled by the original algorithm. 

The implicit representation is quite natural for modeling sequential circuits 
and protocols. Each state is encoded by an assignment of boolean values to the 
set of state variables associated with the circuit or protocol. The transition re- 
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lation can, therefore, be expressed as a boolean formula in terms of two sets of 
variables, one set encoding the old state and the other encoding the new. This 
formula is then represented by a binary decision diagram. The model checking 
algorithm is based on computing fixed points of predicate transformers that 
are obtained from the transition relation. The fixed points are sets of states 
that represent various temporal properties of the concurrent system. In the new 
implementations, both the predicate transformers and the fixed points are re- 
presented with OBDDs. Thus, it is possible to avoid explicitly constructing the 
state graph of the concurrent system. 

The model checking system that McMillan developed as part of his Ph.D. 
thesis is called SMV [21]. It is based on a language for describing hierarchical 
finite-state concurrent systems. Programs in the language can be annotated by 
specifications expressed in temporal logic. The model checker extracts a tran- 
sition system from a program in the SMV language and uses an OBDD-based 
search algorithm to determine whether the system satisfies its specifications. If 
the transition system does not satisfy some specification, the verifier will produce 
an execution trace that shows why the specification is false. The SMV system 
has been distributed widely, and a large number of examples have now been 
verified with it. These examples provide convincing evidence that SMV can be 
used to debug real industrial designs. 

4 Related Verification Techniques 

A number of other researchers have independently discovered that OBDDs can 
be used to represent large state-transition systems. Coudert, Berthet, and 
Madre [12] have developed an algorithm for showing equivalence between two 
deterministic finite-state automata by performing a breadth first search of the 
state space of the product automata. They use OBDDs to represent the transi- 
tion functions of the two automata in their algorithm. Similar algorithms have 
been developed by Pixley [23,24,25]. In addition, several groups including Bose 
and Fisher [1], Pixley [23], and Coudert, et. al. [13] have experimented with 
model checking algorithms that use OBDDs. Although the results of McMil- 
lan’s experiments [8,9] were not published until the summer of 1990, his work is 
referenced by Bose and Fisher in their 1989 paper [1]. 

5 Example: Space Shuttle Digital Autopilot 

We illustrate the power of model checking to find subtle errors by considering 
a protocol used by the Space Shuttle. We discuss the verification of the Three- 
Engines-Out Contingency Guidance Requirements using the SMV model checker. 
The example describes what should be done in a situation where all of the three 
main engines of the Space Shuttle fail during the ascent. The main task of the 
Space Shuttle Digital Autopilot is to separate the shuttle from the external tank. 
This task has many different input parameters, and it is important to make sure 
that all possible cases and input values are taken into account. 
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The Digital Autopilot chooses one of the six contingency regions depending 
on the current flight conditions. Each region uses different maneuvers for sepa- 
rating from the external tank. This involves computing a guidance quaternion. 
Usually, the region is chosen once at the beginning of the contingency and is 
maintained until separation occurs. However, under certain conditions a change 
of region is allowed. In this case, it is necessary to recompute the quaternion and 
certain other output values. Using SMV we were able to And a counterexam- 
ple in the program for this task. We discovered that when a transition between 
regions occurs, the autopilot system may fail to recompute the quaternion and 
cause the wrong maneuver to be made. The guidance program consists of about 
1200 lines of SMV code. The number of reachable states is 2 • 10^^, and it takes 
60 seconds to verify 40 CTL formulas. 

Specifically, the error occurs when a change is made from region 2 to region 
1. Region 2 is selected initially if the Shuttle is descending and the dynamic 
pressure is not safe for attitude independent separation. In this region it is ne- 
cessary to consider the position of the craft relative to its velocity vector, and the 
quaternion computed in this region is supposed to minimize the angle of attack 
and the side slip. However, if the side slip is too big and the dynamic pressure 
builds up too quickly, meaning that we do not have enough time to perform the 
maneuver, then the program performs the transition to region 1 — an attitude 
independent emergency separation. 

In this mode, in contrast to region 2, the current values of the angle of attack 
and the side slip must be frozen, and the tank will separate as soon as the angle 
rates become relatively small. A special flag called Freeze_f lag is set to indicate 
this maneuver. However, the quaternion from region 2 is not recomputed and 
causes the space shuttle to rotate. This violates the condition that the angle 
of attack and sideslip should be frozen. Since the part of the specifications we 
possessed does not indicate whether the Freeze_f lag has a precedence over the 
quaternion or not, this situation may lead to an incorrect behavior of the Space 
Shuttle in a critical situation. 

The same example was also verified by Judith Crow at SRI [14] using an 
explicit state model checker called Mur^. She had to abstract away many varia- 
bles to avoid the state explosion problem, and her model was not as complete as 
ours. She found a similar error in the transition from region 2 to region 1, but 
for a different variable, which turned out to be correct in our model. Instead, 
the error shows up in the quaternion, which she didn’t consider. 
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Abstract. The Tableaux 98 conference included a comparison of auto- 
mated theorem provers for some modal logics. Our aim was to make the 
existing provers better known and to show what possibilities they offer. 
This comparison included benchmarks for the propositional modal logics 
• , * • and • * . Although efficiency is an important aspect, depending 
on the intended application other qualities can be as important, such 
as portability, construction of counter-models, user-friendliness, or small 
size. 

We first discuss our aims in more detail, explain the applied benchmark 
method, and finally give a short summary of the results. The submissions 
of the participants follow in alphabetic order. 



During the last years, there has been considerable progress in the area of 
theorem provers for modal logics, and various methods have been proposed and 
implemented. One aim of this comparison is to make the available provers known 
to a wider audience. Others can profit from these experiences, such that they 
can come up with ‘better’ provers instead of reinventing the wheel. 

The apostrophes above already indicate that it is not at all clear when a pro- 
ver is better than another one. Efficiency is probably the criterion that comes 
first to ones mind, and efficiency was indeed an important part of this compari- 
son. But first we would like to show that there are many other aspects that can 
be as important. 

To achieve good portability and maintainability is certainly harder for a large 
prover than for a prover with few lines of code. Moreover, every optimisation 
makes a prover more error-prone. If an application does not require a very effi- 
cient prover, a small prover might therefore be preferable to a fast and intricate 
one. 

Although we concentrated on three logics in this comparison, it is of course 
an advantage if the same prover can deal with other logics as well, e.g. with 
further propositional modal logics or with extensions of K. Again this can be a 
trade-off: If we use a specialised prover for each logic, it can be tuned, but then 
each prover has to be checked for errors separately. 

A decision procedure is preferable to a non-complete prover. Sometimes the 
user would like even more information, e.g. be a proof if the formula is provable 
and otherwise a counter-model. Provided that the model is not too large, then the 
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latter can be helpful to understand why a formula is not provable. For educational 
purposes also the user-friendliness is an important issue. 

All submissions include the results of the respective prover on a set of bench- 
mark formulas. There is a large number of modal logics. We confined ourselves 
to the three propositional modal logics K, KT, S4, as they seem to be among the 
most widespread ones. Such a restriction is always somewhat arbitrary. 

For each of the logics K, KT, S4 there were nine provable and nine unprova- 
ble parametrised formulas (with names ending in ‘p’ and ‘n’, respectively). Let 
A{n) be one of these parametrised formulas. The participants had to decide for 
which n they could decide in less than 100 seconds whether the formula is pro- 
vable or not. Example: The number 6 for the parametrised formula k-hranch-p 
means that the prover returned the correct result for the formula k -branch _p(Q) 
in less than 100 seconds, and that it took more than 100 seconds to compute 
the result for k -branch -p ( 7 ). (The formulas will still be available after the con- 
ference via http://lwbwww.unibe.ch:8080/LWBinfo.html; there you will also 
find a technical report concerning these benchmark formulas.) We did not try to 
standardise the hardware, but because of the form of the benchmark this should 
not influence the results too much. 

One property of the benchmark method is that the result consists of relatively 
few numbers, but it is still not easy to decide whether one prover is faster than 
another. Since the scalable formulas have different characteristics, a prover can 
be very fast in one case and slow in another, and often there is a considerable 
difference between provable and unprovable formulas. 

The results show that the time when it was hard for a prover to decide 
whether a formula like n(n(p — >■ Dp) — >■ p) — >■ (OFIp) — >• p) is provable in S4 is 
over. Just to give an impression we display the formula fc_Zm_p(3), which proved 
to be easy for all the participants. 

-i(D((pi A Dpi A Pi — >■ P2) V (-ipi — >■ -'(□p2 A P2))) A □(□(pi A Dpi A pi — > 

P2) V (-ipi — >■ -'(□p2 A P2))) A n((pi A Dpi A Pi — >■ P2) V □(-'Pi — >■ -'(□p2 A 
P2))) — >• D(pi A Dpi A Pi — >• P2) V □(-'Pi — >• -'(□p2 A P2))) V (□(p 3 A Opa — > 
ps) V □(p 3 A Dp 3 — >■ Pa)) V (“■(□((pa A Op2 A P2 — >■ Pa) V {^P2 — >■ “'(□pa A 
Pa))) A □(□(p2 A Dp2 Ap2 — >■ Pa) V (“ip2 — >■ “'(□pa Apa))) A n((p2 A Op2 Ap2 — >■ 

Pa) V □(“'P2 — >■ "'(□pa A Pa))) — >■ n(p2 A Dp2 A P2 — >■ Pa) V □(-ip2 — >■ -'(□pa A 
Pa)))V-'(n((p 3 ADpa Apa — >P 4 )V(-'P 3 — >■ -i(Op 4 Ap 4 ))) A □(□(pa A Dpa Apa — > 
P4)v(-'P3 ->■ -'(□p4Ap4)))An((p3AOp3Ap3 ->• P4) V □ (“ipa -'(□P4AP4))) -> 

□ (pa A Dpa Apa ^ P4) V □(-'Pa — >■ “'(□P 4 Ap 4 )))) 

Another conclusion from the comparison is that there is no method that clearly 
outperforms all the others. It seems that at the moment not the method alone 
decides whether or not a prover is fast, but first and foremost the way it is 
implemented and the optimisations that are used. 

The good results of some provers should not prevent people from imple- 
menting a new prover; as we have outlined above, efficiency is only one aspect. 
However, we think that a prover, provided that is not designed for a specific 
class of formulas, should not be announced as ‘very fast’ or ‘state-of-the-art’ or 
. . . , unless it can compete with the participants of this comparison. 

Last but not least we would like to thank Roy Dyckhoff for his help. 
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FaCT: The tests were performed using FaCT version 1.2. FaCT is a descrip- 
tion logic classifier whose description language is a superset of K4(m) and whose 
subsumption reasoning uses a sound and complete tableaux algorithm. FaCT 
employs a wide range of optimisations, in particular a form of dependency di- 
rected backtracking called backjumping which can significantly reduce the size 
of the search space [5]. The FaCT algorithm does not support KT and S4 ex- 
plicitly, but FaCT includes a preprocessing and encoding optimisation which is 
also able to apply the standard embedding of KT and S4 in K and K4 respec- 
tively: the time taken for preprocessing and embedding is included in the results. 
Programming language: Common Lisp (compiled). 



DLP: The ideas in FaCT are being incorporated into a new generation of De- 
scription Logic systems. Initial experiments in this effort have resulted in a modal 
prover for a superset of K4(j„), which has provisionally been called DLP. The 
DLP prover has control over several options, including backjumping and caching 
partial results. Both of these mechanisms have proved to be very useful in the 
benchmarks, with caching being the more powerful. As an experimental pro- 
ver, there are essentially no user amenities in DLP, but the final Description 
Logic system will have a full user interface and other amenities. Programming 
language: ML (compiled). 



The other provers: For comparative purposes the tests for K and KT were 
repeated using three other available provers: Crack version 1.0 beta 15 [3], 
KSAT [4] and Kris [2,1]. Crack and Kris are also description logic classifiers 
which use sound and complete tableaux algorithms while KSAT is a K(^) pro- 
ver which uses an algorithm based on propositional satisfiability (SAT) testing. 
None of these systems supports transitive relations so they could not be used 
for S4. The KT tests were performed by using the standard embedding of KT 
in K: the time taken for the embedding is not included in the results for these 
systems. 

All three systems are programmed in Common Lisp (compiled) . It should be 
pointed out that neither Crack nor Kris are intended as stand-alone K provers 
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and for many classes of formula a significant improvement in their performance 
could be achieved by preprocessing and encoding large formulae, a technique 
which is used by both FaCT and KSAT. Both Crack and Kris support much 
richer logics than K (for example Crack can reason about converse relations) 
and can also reason about nominals (individuals). 



Availability: The sources for FaCT are available from the first authors home 
page: http://www.cs.man.ac.uk/ horrocks; the DTP prover is currently under 
development, but the benchmark version and full timing results are also available 
from the same location. Contacts for information about the other systems are: 

Crack — Enrico Franconi, franconi@irst.itc.it; 

KSAT — Roberto Sebastiani, rseba@irst.itc.it; 

Kris — H.-J. Burckert, hjb@dfki.uni-sb.de. 



Advantages: FaCT has been tested using several Common Lisps including 
GNU Lisp and should thus be highly portable. As well as K, KT and S4 it can 
also deal with K4. The implemented logic is significantly more expressive than 
S4: it includes support for a hierarchy of multiple modalities (roles), functional 
roles and global axioms. DLP should also be highly portable: the ML compiler 
runs on a variety of platforms and is freely available from several sites, including 
http:/ / cm. bell-labs, com/ cm/ cs/what/ smlnj. 



Hardware and Software: For DLP: SPARC clone; main memory 132MB; 150 
MHz Ross RT626 CPU; SML-NJ compiler, version 109.32. For the other provers: 
Sun Ultra 1; main memory 32MB; 147 MHz CPU; Solaris; Allegro CL 4.3. 



Results: To demonstrate the effectiveness of the backjumping optimisation the 
tests were also performed using FaCT with backjumping disabled: the resulting 
prover is referred to as FaCT*. The results of the tests are given in Tables 1, 2 
and 3. Both FaCT and DLP performed reasonably well with all classes of K and 
KT formula, trivially solving most of the K formulae, and in the case of DLP 
many of the KT and S4 formulae. 

FaCT and DLP significantly outperformed all the other provers, and in many 
cases they also exhibited a completely different qualitative performance. For 
example, with k-dum-p the other provers all show an exponential increase in 
solution times with increasing formula size, whereas the times taken by FaCT 
and DLP increase very little for larger formulae (and FaCT is already 2,000 
times faster for the largest formula solved by another system). 

The results for FaCT* demonstrate that backjumping accounts for a sig- 
nificant proportion of FaCT’s performance advantage over the other systems, 
particularly with respect to provable formulae, and experiments with DLP sug- 
gest that caching is even more effective. However the performance of FaCT* 
still compares favourably with that of the other systems and it still exhibits a 
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Table 1. Results for K, KT and S4 
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different qualitative performance in some cases (e.g. kJiri-p). DLP is more effec- 
tive with non-provable formulae, and for some classes of provable formulae it is 
outperformed by FaCT; this phenomenon is the subject of continuing research. 

A well engineered C code implementation of KSAT is now available, and has 
been observed to outperform the Lisp version by a significant margin (as much 
as 100 times). It is likely that significant improvements to the performance of 
FaCT and DLP could also be achieved by employing more sophisticated software 
engineering. 
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1 Prover 

The proposed prover implements a decision procedure for the propositionnal 
logic KT4. It is based on a paper of Laurent Catach (see [1]). 

The code can be loaded at the adress : 

ftp: / / ftp.imag.fr / pub/PLIAGE/Michel.Levy / prover.bin 

The program runs under the operating system Solaris. It is written in the Ocaml 
language (see [2]) and is compiled by the native-code compiler ocamlopt. 

2 Algorithms 

An assumption is a pair state, formula whose intuitive meaning is : I assume 
that the formula is true in its associated state. 

Each time you apply a rule to an assumption, this assumption receives a mark. 
A tableau is a list of assumptions and a relation between the states. 

2.1 Not Modal Rules 

Let be A and B two formulae and e a state. When we apply a rule to the not 
marked assumption e : (A or B) we create two copies of the tableau containing 
the assumption, one copy receiving the new assumption e : A and another the 
new assumption e : B. 

2.2 Box Rule 

Let R the relation associated with a tableau containing the not marked assump- 
tion e : (box A). When we apply a rule to this assumption, we add to the 
tableau the assumptions f : A for every state f such that e R* f, where R* is the 
transitive and reflexive closure of the R relation. 

2.3 Dia Rule 

In a given tableau, it’s possible to apply a rule to an assumption of the form 
e : (dia A) only if no other rule can be applied. Let us consider such a tableau 
and such an assumption, R being the relation associated with the tableau. 

Let E the following set of formulae : B is member of E if and only if B is A 
or if the tableau has a already marked assumption f : (dia B) with f R* e. We 
have two cases : 
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1. We say that a formula B is in the state g, if the tableau contains an assump- 
tion g : B. If there exists a state g such that E is included in the the set of 
the formulae in the state g, we add the edge (e, g) to the relation r. 

2. If such a state does not exist, we add a new state g, the edge (e,g) and every 
assumption g : B such that B is member of E. 

3 Advantages of the Prover 

1. The source code, written in Ocaml [2], is short (less than 860 lines). So it’s 
easy to maintain the prover. 

2. Not only the prover test the validity of the formulae, but for a not-valid 
formula, it gives an counter-model of the formula. 

4 Results 

With the exception of the s4_md_n and s4_md_p formulae, my prover is less effi- 
cient that the LWB-prover. This exception is easy to explain : my prover reduce 
the modalities using the identities valid in KT4 : box box = box, dia dia = dia, 
dia box dia box = dia box. I give the results with the LWB-presentation, each 
filename of the benchmark is followed by the number of formulae proved (or 
disproved) in less that 100 seconds. 
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The Prover 

leanK 2.0 implements an extension of the “Free Variable Tableaux for Proposi- 
tional Modal Logics” reported by us in [1]. It performs depth first search and 
is based upon the original leanTlP prover of Beckert and Posegga [2]. Formulae 
annotated with labels containing variables capture the universal and existential 
nature of the box and diamond modalities, respectively, with different varia- 
ble bindings closing different branches. Prolog’s built-in clause indexing scheme, 
unification facilities and built-in backtracking are used extensively. 

In its new version, leanK’s calculus includes additional methods for restric- 
tion the search space, which turn it into a decision procedure for the logics K, 
KT, and S4. 



Availability 

The source code for leanK is available at http://il2www.ira.uka.de/modlean 
on the World Wide Web. 



Advantages 

The main advantages of leanK are its modularity, its small size and its versatility. 
Minimal changes in the rules give provers for all the 15 basic normal modal logics. 
By sacrificing modularity we can obtain specialised (faster) provers for particular 
logics like K45D, G and Grz. It is easy to obtain an explicit counter-example 
from a failed proof attempt. 



Programming Language, Operating System, Hardware 

leanK is implemented in Prolog; we used SIGStus Prolog 3, but leanK can easily 
be adapted to other Prolog dialects. For obtaining the results shown here, we 
used a Sun Ultra 1 Model 170 with 128 MB main memory, running under the 
Solaris operating system. 
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Results 

The strength of leanK clearly is its small size and adaptability and not its per- 
formance. Nevertheless, leanK is able to solve at least a few formulae in most 
classes. With the exception of k_grz, leanK’s performance for provable formulae 
is better than that for non-provable formulae. 

Since leanK’s calculus is better suited for serial logics, the results of the KD 
version for the provable K examples are shown as well. 
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Prover: Logics Workbench (LWB), version 1.0. See the LWB home page for 
more information. 

The LWB does backward proof search in two-sided sequent calculi. In the case 
of S4 we use a loop-check in order to ensure termination. With ‘use-check’ we 
cut off unnecessary branches generated by invertible rules with two premises; if 
e.g. in the proof of Z\ D A, T the formula A is not ‘used’, then we know that 
A D A A B,r is provable as well. Duplicate formulas are deleted. Structure 
sharing helps to reduce the copying of formulas and sequents. No heuristics. 
Programming language: C-|— I- . Compiler: Sun C-|— I- 4.0.1 . Operating system: 
Solaris 2.4 . 

Availability: The binaries of the LWB 1.0 are available via the LWB home page 
(choose about the LWB, install the LWB). 

You can also use the LWB 1.0 via WWW. Choose run a session via WWW on 
the LWB home page and type in your request. 

Additional facilities of the prover: Graphical user interface, built-in pro- 
gramming language, progress indicator (a slider shows how the proof search is 
going on), trace of the proof search is available, various functions to convert 
formulas. 

Hardware: Sun SPARCstation 5, main memory: 80MB, 1 CPU (70 MHz micro- 
SPARC II) 

Timing: The timing includes parsing of the formulas and the construction of the 
corresponding data structure. The files loaded by the LWB have the following 
form: load(s4) ; timestart; provableCbox pO -> box box pO) ; timestop; 
quit ; 

Results: 
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Prover: We facilitate modal theorem proving in a first-order resolution calculus 
implemented in SPASS Version 0.77 [4]. SPASS uses ordered resolution and or- 
dered factoring, it supports splitting and branch condensing (splitting amounts 
to case analysis while branch condensing resembles branch pruning in the Log- 
ics Workbench), it has an extensive set of reduction rules including tautology 
deletion, subsumption and condensing, and it supports dynamic sort theories by 
additional inference and reduction rules. 

The translation we use is the optimised functional translation [2], It maps 
normal propositional modal logics into a class of path logics. Path logics are 
clausal logics over the language of the monadic fragment of sorted first-order 
logic with a special binary function symbol for defining accessibility. Clauses of 
path logics are restricted in that only Skolem terms which are constants may 
occur and the prefix stability property holds. Ordinary resolution without any 
refinement strategies is a decision procedure for the path logics associated with 
K{m) and KT{m) [3]. Our decision procedure for SA uses an a priori term depth 
bound. 

Availability: SPASS and a routine for the translation of modal formulae are 
available from http://www.mpi-sb.mpg.de/~hustadt/mdp 
Advantages of the prover: SPASS is a fast and sophisticated state-of-the-art 
first-order theorem prover. Ordered inference rules and splitting are of partic- 
ular importance when treating satisfiable formulae, while unit propagation and 
branch condensing are important for benchmarks based on randomly generated 
modal formulae [1]. 

Advantages of translation approaches: In its most general form the transla- 
tion approach can deal with any complete, finitely axiomatizable, normal modal 
logic. Moreover, any first-order theorem prover can be used, that is, we may 
substitute SPASS with another theorem prover (not necessarily a resolution 
theorem prover). The relational and optimised functional translation approach 
are refinements of the general translation approach towards efficient modal the- 
orem proving. The optimised functional translation is applicable to many propo- 
sitional modal logics, including K, KT, and S4 and their multi-modal versions, 
but notably also to some second-order modal logics, like KM [2] . A general result 
shows that any first-order resolution theorem prover (with condensing) provides 
a decision procedure for a variety of modal logics [3]. 

Hardware: Sun Ultra 1 Model 170E (167 MHz UltraSPARC processor, 512 KB 
second level cache), 192 MB main memory. 
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Results: On classes of provable formu- 
lae (in the first column), the combina- 
tion of the optimised functional transla- 
tion approach and SPASS has little diffi- 
culty. Notable exceptions are the classes 
k-ph_p, kt-ph^p, s4-ph^p, k^branchLp and 
s4-ipc-p. Observe that SPASS solves 
more formulae in s4-branch_p than in 
either kt-branch_p or k-branch^p. While 
for the basic modal logic, the classes 
of non-provable formulae (in the sec- 
ond column) are not harder than the 
classes of provable formulae, we see a 
noticeable difference between kt-durri-n, 
kt-poly-Ti, and M-t4p-n and the corre- 
sponding classes of provable KT-for- 
mulae. However, the results are still 
acceptable. In contrast, for the classes 
s4-45-n, s4-grz-n, s4-s5-n, and s4-t4p-n 
of non-provable S4-formulae the perfor- 
mance is unsatisfactory. We attribute 
this to using superposition and not Pi- 
unification, and to enforcing termina- 
tion by an explicit term depth bound 
instead of a loop check. For the classes 
s4-45-n and s4-s5-n there are trivial 
satisfiability checks on the clause level 
which are not implemented in SPASS. 
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Prover: We used DKE (no version number), which was designed to be a generic 
theorem prover for the family of 15 normal model logics. 

□KE is based on the calculus KE [1] and Fitting’s prefixed tableaux [2], where 
the calculus is extended to include elimination rules for the □ and O operators, 
and the prefixes are generalized to include variables. The type of any variable is 
determined by the logic and the extension to a prefix introduced by the □ and 
O rules is also contingent on the logic. Prefixes must unify when applying KE’s 
l3 and closure rules: although there are some extra side-conditions on the closure 
rule for certain logics, the unification algorithm remains constant for all logics. 
The paper [3] contains the details. 

For all the logics, DKE uses depth first proof search. No optimizations are 
used. Programming language: ICL/ECRC ECLIPSE® Constraint Prolog 3.5.2 
(compiled). Operating system: Solaris. 

Availability: The sources are not available except via request from the author. 
Advantages of the prover: DKE has no distinguishing features with regards 
to its size, speed, efficacity, correctness, portability, and maintenance. 

The total size of all the code is approximately 52K, with an extra 27K if the 
modules for recording a proof tree and displaying the output in HTML or 
are required. It is implemented in Prolog, with all the concomitant implicati- 
ons for speed and efficiency that this entails. The system is intended to provide 
coverage for all the normal modal logics, but there do appear to be types of pro- 
blem for which the system is not best suited. The system is based on a calculus, 
as specified in [3], from which the (any) implementation could be developed: we 
do not have soundness and completeness proofs for this calculus (irrespective of 
any guarantee that these still hold in an implementation based on an incomplete 
inference engine) . We would currently only commit ourselves to the intuitionistic 
statement that the system appears at best to be not unsound. Although DKE 
has been implemented in a “standard” programming language, one attempt at 
porting to a different Prolog platform was not quickly successful and was aban- 
doned. The process of iterative and incremental development, which this system 
has undergone, would suggest, that in its current state, maintenance by any 
persons other than the current implementors would most likely be problematic. 
On the other hand, the system was aimed at covering a number of logics with- 
out loss of generality, and is intended for “real” applications rather than simply 
verifying a theoretical formulation. The utility of DKE is therefore threefold. 
Firstly, it handles the entire range of normal modal logics, using a generic deci- 
sion procedure and unification algorithm, with logic-dependent side conditions 
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on the 0,0, and closure rules, and very few other exceptions. Secondly, it achie- 
ves reasonable results on all three sets of benchmark tests which is suggestive 
that it can be used for non-trivial problems. Finally, it provides evidence that 
the approach based on the generalization of Fitting’s prefixed tableau is sound, 
and valuable experience for future re-engineering. 

Two other comments are worth making. Firstly, the proof (or non-proof) trees 
that DKE can be set to “dump” during runtime, or can construct for inspec- 
tion afterwards, are reasonably perspicuous and a significant aid to explanation 
and discovery. A decent user interface would help considerably though. Secondly, 
these benchmarks only tested time, and not space. In previous work [4] we eva- 
luated the first order theorem prover leanKE with another based on the tableau 
method: the results suggested that the simpler branching rules of the KE calcu- 
lus made it more space-efficient, especially as the test problems became harder. 
It would be interesting to know if this also applies to the modal logic cases. 
Hardware: Sun SPARC-5, main memory: 64MB, llOMHz microSPARC-2 CPU. 
Results: The benchmark results for speed of execution are a more or less “nor- 
mal distribution” that might be expected from an experimental system on ‘un- 
seen’ problems, without any attempt to implement any optimizations. It appears 
to be moderate at some types of problem and rather less good at others. In nearly 
all cases the performance for the provable formulas was better then for the non- 
provable formulas, the exception being the Grz formulas. In general, it does 
better on K than on either KT or S4, and marginally better on KT than S4. 
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1 Topic/Relevance 

This tutorial intends to convey the step-by-step process by which computer 
programs for model checking and satisfiability testing for temporal logics may 
be derived from the theory. The idea is to demonstrate that it is very well 
possible to implement such a program in an efficient way without sacrificing a 
correct-by-construction approach. The tutorial will be fully self-contained, only 
a general knowledge of programming and propositional logic is assumed. 

The proposed tutorial focuses on what might be coined “Implementing the 
theories” . Unfortunately, too often an interesting approach or novel algorithm 
once published is not picked up by any user community. This is partly because no 
effort is spent in creating a state-of-the-art implementation in a readily accessible 
form. The intended audience are researchers in the field of theorem proving and 
any users of applications thereof. They will benefit from learning how theoretical 
results can be implemented in a well-written prototype program. Moreover, being 
a prototype should not be an excuse for not using advanced datastructures and 
algorithms. Therefore this tutorial takes an engineering approach to dealing with 
complicated issues such as reasoning in temporal logic, and shows that with a 
structured approach a powerful tool can be built that is able to handle real-life 
applications, for instance verification of sequential circuits. 

2 Contents Ontline 

Below an outline is given of the tutorial contents. Much of the material on CTL 
model checking is based on the pioneering work in this area by Clarke et al. 

1. Introduction. Presents the tutorial contents and sets its goals. 

2. Dags. Directed acyclic graphs are the datastructure underlying BDDs. Dags 
will also be used to represent formulas. An efficient implementation based 
on a hash table and utilizing garbage-collection will be discussed. 

3. BDDs. Explains what Binary Decision Diagrams are, how they can be effi- 
ciently implemented, and what their applications are. 

4. Kripke Structure Model. Introduces the notion of a Kripke structure 
that is used as a model for the system we like to reason about. 
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5. Computation Tree Logic. Defines the syntax and semantics of a class of 
branching time logics. 

6. CTL Model Checking. Shows how a model checker for CTL can be con- 
structed in elegant way using a simple algorithm to calculate a fixed-point 
of a functional. Also, it is shown how BDDs can be exploited to represent 
the next-state relation and state-sets of the Kripke structure. 

7. Linear-time Temporal Logic. Defines the syntax and semantics of the 
popular Manna/Pnueli propositional linear-time temporal logic. 

8. PTL Satisfiability Checking. Shows how a satisfiability checker can be 
constructed for PTL. Again, BDDs will be used to represent the structure 
of the generated tableau. 

9. Diversion into /i-calculus. Briefly explains Kozen’s /x-calculus and shows 
how both CTL and PTL problems can be encoded in it. An implementation 
of /r-calculus is sketched. 

10. Summary and conclusions. Summarizes the presented material and dem- 
onstrates the derived programs by some example runs and lists results of 
experiments. 

The bibliography lists a number of articles and books on which the tutorial 

material will be based. 
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CL {Clausal language) is a computer programming language with mathe- 
matical syntax and a proof system based on Peano arithmetic which we have 
repeatedly used in the teaching of three (first and second year) undergraduate 
courses covering respectively declarative programming, program verification, and 
program and abstract data specification. 

CL functions are over natural numbers, and yet CL has a look and feel of a 
modern functional language (higher-order functions are for the time being not 
covered) . The coding of data structures into natural numbers is done via a pairing 
function which effectively identifies the domain of S-expressions of LISP with 
natural numbers. Recursion schemas available for the definition of CL functions 
are extremely programmer-friendly in that that they permit arbitrarily nested 
recursion where a previously defined measure of arguments goes down. By the 
well-known theorem of Tait on nested ordinal recursion (restricted in CL to 
Lo) this does not lead outside of primitive recursive functions. Thus the Tait’s 
theorem characterizes the CL programming language as being able to define 
exactly the unary primitive recursive functions (the effect of n-ary functions is 
achieved via pairing). 

CL comes with its own proof system (intelligent proof checker) for proving 
properties of CL-defined functions such as the demonstration that they satisfy 
previously stated specifications. The proof system is also used for proof obliga- 
tions where the user convinces the system that his recursively defined functions 
are properly introduced (they decrease arguments in certain measures). 

The proof system is based on signed tableaux of Smullyan whose T’-signed 
formulas are interpreted as goals to be proved and T-signed ones as assumptions. 
This permits a natural deduction style as used in mathematical practice and the 
proofs are easily described in English. It is amazing that CL seems to be the 
first system with such an obvious interpretation of signed tableaux. 

The strength of the CL-proof system is characterized as a certain fragment of 
Peano Arithmetic. By the incompleteness result of Godel, every formal system 
containing addition and multiplication admits only a fragment of recursive fun- 
ctions determined by its proo/ strength. Thus it seemed natural to us to choose 
that fragment of Peano arithmetic whose provably recursive functions are preci- 
sely the primitive recursive functions. This is the I Ei~ arithmetic where induction 
axioms are restricted to Ai-formulas. Primitive recursive functions have very na- 
tural closure properties and certainly contain all feasibly computable functions. 
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Because CL uses strong recursion schemas for the definition of functions, 
its proof system requires a rich variety of induction schemas for proving their 
properties. The induction schemas are automatically derived from CL predicates 
characterizing data structures (such as lists, trees, tables) and amount to the shell 
principles of Boyer-Moore’s system. Because CL has quantifiers, the induction 
schemas are extremely simply given in the form of Il2-rules which by the well- 
known theorem of Parsons are reducible to Ifi-induction axioms. 

The domain of natural numbers is so well-known that the students have no 
problem understanding the meaning (semantics) of functions of CL and have 
a good intuition about their properties. This should be contrasted with similar 
systems with more complex and less intuitive domains (for instance PVS which 
is based on typed functionals). Our experience is that the students seem not 
only to understand but also enjoy CL. 
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Abstract. In this paper we present a prefixed analytic tableau calculus 
for a class of normal multimodal logics and we present some results about 
decidability and undecidability of this class. The class is characterized by 
axioms of the form [ti] . . . [t„]ip D [si] . . . [sm]^, called inclusion axioms, 
where the ti’s and sj’s are constants. This class of logics, called grammar 
logics, was introduced for the hrst time by Farinas del Cerro and Pentto- 
nen to simulate the behaviour of grammars in modal logics, and includes 
some well-known modal systems. The prehxed tableau method is used to 
prove the undecidability of modal systems based on unrestricted, context 
sensitive, and context free grammars. Moreover, we show that the class 
of modal logics, based on right-regular grammaxs, are decidable by means 
of the filtration methods, by defining an extension of the Fischer-Ladner 
closure. 

Keywords: Multimodal logics. Prefixed Tableaux methods, Decidabi- 
lity, Formal Grammars. 



1 Introduction and Motivations 

Modal logics are widely used in artificial intelligence for representing knowledge 
and beliefs [19] together with other attitudes in agent systems like, for instance, 
goals, intentions and obligations [33]. Moreover, modal logics are well suited for 
representing dynamic aspects in agent systems and, in particular, to formalize 
reasoning about actions and time. Last but not least, modal logics are shown 
useful to extend logic programming languages with new features [31,13,4]. 

In this paper we focus on a class of normal multimodal logics, called grammar 
logics, which are characterized by a set of logical axioms of the form: 

[ti] . . . [tn]ip D [si] . . . [sjn]g} (n > 0; TO > 0) (1) 

that we call inclusion axiom, where the tfs and Sj's are modalities. This class 
includes some well-known modal systems such as K, KA, 5*4 and their multimo- 
dal versions. Differently from other logics, such as those studied in [19], these 
systems can be non-homogeneous (i.e., every modal operator is not restricted to 
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belong to the same system) and can contain some interaction axioms (i.e., every 
modal operator is not restricted to be independent from the others). 

This class of logics has been introduced by Farinas del Cerro and Penttonen 
in [11], where a method to define multimodal logics from formal grammars is 
presented, in such a way to simulate the behaviour of grammars. Given a formal 
grammar, a modality is associated to each terminal and nonterminal symbol, 
while, for each production rule of the form — >■ si • • • Sm, an associated 

inclusion axiom [ti] . . . [tn]^ [si] . ■ . [sm]^ is defined. In [11], it is shown that 
testing whether a word is generated by the formal grammar is equivalent to 
proving a theorem in the logic. Moreover, relying on this relation with formal 
grammars, an undecidability result for this class of multimodal logics is proved. 
However, in [11], neither a proof method is presented to deal with the class of 
grammar logics nor (un) decidability of restricted subclasses is studied. 

In this paper, we develop an analytic tableau calculus for the class of grammar 
logics. The calculus is parametric with respect to each modal system in this class. 
In particular, it deals with non-homogeneous multimodal systems with arbitrary 
interaction axioms of the form (1). 

The calculus is an extension of the one proposed in [26], which is closely 
related to the systems of prefixed tableaux presented in [14] . As a difference with 
[14], worlds are not represented by prefixes (which describe paths in the model 
from the initial world), but they are given an atomic name and the accessibility 
relationships among them are explicitly represented in a graph. The method is 
based on the idea of using the characterizing axioms of the logic as “rewrite 
rules” which create new paths among worlds in the counter-model construction. 

Making use of the tableau calculus we prove the undecidability of the modal 
systems based on context sensitive and context-free grammars. Moreover, we 
show that the class of modal logics based on right regular grammars is decidable. 
We use the well-known filtration methods by defining an extension of the Fischer- 
Ladner closure for modal logics. This result is close to those that have been 
established for propositional dynamic logic [12,20]. 

2 Grammar Modal Logics 

Let us define a propositional multimodal language £, containing the logical 
connectives A , V, D , and a set of modal operators of the form [t] and (t), 
where t belongs to a nonempty countable set MOD (the alphabet of modalities) 
and a nonempty countable set VAR of propositional variables. MOD and VAR 
are disjoint. The set of formulae of the languages are constructed as usual by 
means of the propositional variables, the connectives, and the modal operators. 

We only consider normal modal logics, that is those ones whose axioma- 
tization at least contains the axiom schemas for the classical propositional cal- 
culus, modus ponens and necessitation rules, and the axiom schema K{t) : 
[t]{<p D V') D {[t](p D [t]'f) for all modal operators. In particular, we focus on 
normal multimodal logics that are characterized by a set of axiom schemas of 
the form (1). We call these logics grammar logics. Let A be a set of inclusion 
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axioms, we denote by the grammar logic determined by the set A with £ 
as underlying language, while we use to denote its characterizing axiom sy- 
stems (containing the axioms for normal modalities plus A). As we will see, the 
inclusion axioms determine inclusion properties on the accessibility relations. 

Some examples of grammar logics are the well-known modal systems K, T, 
K4, S'4 [23], their multimodal versions Kn, Tn, KAn, S'4„ [19], extensions of 
and SAn with interaction axioms or with agent “any fool” in [16,10,3]. 

Example 1. (The friends puzzle) Peter is a friend of John, so if Peter knows that 
John knows something, then John knows that Peter knows that thing. That is, 
^ 1 - [p][j]'P 3 blW'P) where [p] and [j] are modal operators of type S'4 (i.e., A 2 : 
[p](p D (f, A 3 : [p](p D [p][p]:p, A 4 : [j](fi D (p, and A 5 : [j]ip D [j][j]ip) and they are 
used to denote what is known by Peter and John, respectively. Peter is married, 
so if Peter’s wife knows something, then Peter knows the same thing, that is, 
Aq: [wp](p D [p\ip holds, where [wp] is a modality of type S4 representing the 
knowledge of Peter’s wife. John and Peter have an appointment, let us consider 
the following situation: 

(1) [p]time (3) [wp\{[p]time D [j]time) 

(2) [p][j]place (4) [p][j]{place A time D place) 

That is, (1) Peter knows the time of their appointment; (2) Peter also knows 
that John knows the place of their appointment. Moreover, (3) Peter’s wife knows 
that if Peter knows the time of their appointment, then John knows that too; 
(4) Peter knows that if John knows the place and the time of their appointment, 
then John knows that he has an appointment. From this situation we will be able 
to prove [j][p]appointment A [p][j]appointment, that is, each of the two friends 
knows that the other one knows that he has an appointment. 

In order to define the meaning of a formula, we introduce the notion of 
Kripke interpretation. Formally, a Kripke interpretation M is a triple (IF, {TZt \ 
t G MOD},F), consisting of a non-empty set IF of “possible worlds” and a set 
of binary relations TZt (one for each t € MOD) on JF, and a valuation function 
V, that is a mapping from IF x VAR to the set {T,F}. We say that TZt is the 
accessibility relation of the modality [t] and w' is accessible from w by means of 
TZt if {w,w') G TZt (or wTZtw'). 

The meaning of a formula is given by means of a satisfiability relation, denoted 
by \=. Let M = {W, {TZt \ t G MOD}, V) be a Kripke interpretation, w a world in 
JF and ip a formula, then, we say that p is satisfiable in the Kripke interpretation 
M at w, denoted by M, w \= p, if the following conditions hold: 

— M, w \= p and p G VAR iff V (w, p) = T; 

— M, w \= -ip iff M, w ^ p; 

— M,w \= p A if iS M,w \= p and M,w \= if] 

— M, w \= p\/ if iS M, w \= p or M, w\=if] 

— M,w \= p D if iS M,w ^ p or M,w \= if] 

— M,w \= [t]p iff for all rc' G JF such that {w, w') G TZt, M, w' \= p] 

— M,w \= {t)p iff there exists aw' GW such that {w, w') G TZt and M, w' [= p. 
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Let M.C be the set of all Kripke interpretations, as defined above. For each 
grammar logic we introduce a suitable notion of Kripke .A-interpretation, by 
adding some restriction on the accessibility relations. More precisely, let M = 
{W, {TZt I t G MOD}, V) be a Kripke interpretation and let M be a set of inclusion 
axioms, we say M is a Kripke A-interpretation if and only if for each axiom 
schema [ti][t 2 ] • • • [tn]'-P [si][s 2 ] . . . [sm]v? € A, the following inclusion property 

on the accessibility relation holds: 

TZti o TZt^ o . . . o TZt^ 2 o TZs^ o . . . o (2) 

where “o” means the relation composition TZtoTZt' = {{w,w") G W xW \ 3w' G 
W such that {w,w') G TZt and {w',w") G Rt>}^- 

The set of all Kripke ^-interpretations is denoted by and it is a subset 
of Me- Given a Kripke M-intepretation M = {W, {TZ-t \ t G MOD}, V) in 
we say that a formula of is satisfiable in M if M, w |=_4 ip for some world 
w G W. We say that (p is valid in M if -k/? is not satisfiable in M . Moreover, a 
formula p is satisfiable if ip is M-satisfiable in some Kripke M-interpretation in 
and A-valid f it is valid in all Kripke ^-interpretations in (in this case, 
we write |=^ (p). 

The axiom system S-^ is sound and complete axiomatization with respect to 
[2] (see also [11] for a subclass). 

Due to the similarity between inclusion axioms and production rules in a 
grammar, we can associate to a given grammar a corresponding grammar logic. 

A grammar is a quadruple G = {V, T, P, S), where V and T are disjoint finite 
sets of variables and terminals, respectively. P is a finite set of productions, each 
production is of the form a — >■ /3, where the form of a and f3 depends on the type 
of grammar as follows^: 



Production grammar form for different classes of languages 



type-0 


type-1 


type-2 


type-3 


a G {VUT)*V{VUT)* 


a G (FUT)*F(Fur)* 


aGV 


aGV 


[3 G (Fur)* 


P G (FUT) + 


P G (FUT)* 


P = a A or /3 = (T 




\P\ < !«! 




ogt*,Agv 



Finally, S' G K is a special variable called the start symbol [21]. We say that the 
production a — >■ /3 is applied to the string jaS to directly derive a(35 in grammar 
G (written yaJ ifdS). The relation derives, ^be reflexive, transitive 

closure of The language generated by a grammar G, denoted by L(G) is the 
set of words {w G T* \ S w}- 

Given a formal grammar G = (V,T, P, S), we can associate to it a grammar 
logic {based on G) containing the modalities MOD = K U T and characterized 

^ If m = 0 then we assume TZa^ ° TZa-z ° . . . ° TZam = where 7 is the identity relation 
on W. 

^ We denote by “L*” the Kleene closure of the language L (i.e. it denotes zero or 
more concatenation of L) and by “-I-” the positive closure of L (i.e. it denotes one 
or more concatenation of L) [21]. 
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by the a axiom schema [ti] . . . [si] . . . [sm]'-P, one for each production rule 

ti • ■ ■ tn ^ s\ ■ ■ ■ Sm & P , where the tiS and Sj's are either in V or in T. 

We will call unrestricted, context sensitive, context-free, and right-regular mo- 
dal logic a grammar logic based on a type-0, type-1, type-2, and type-3 grammar, 
respectively. 



3 A Tableau Calculus for Grammar Logics 

Before introducing our tableau calculus, we need to define some notions. We 
define a signed formula Z as a formula prefixed by one of the two symbols T and 
F (signs). For instance, if (p is a formula then, Tip and F(/? are signed formulae. 

Definition 1. Let L he a propositional modal language and let Wc he a coun- 
table non-empty set o/ constant world symbols (or prefixes^. A prefixed signed 
formula, w : Z, is a prefix w € Wc followed by a signed formula Z . 

Intuitively, prefixes are used to name worlds, and a formula w : Tip (w : F(p) 
on a branch of a tableau means that the formula p is true (false) at the world w 
in the Kripke interpretation associated with that branch. We assume that Wc 
contains always at least the prefix i, that is interpreted as the initial world. 

Definition 2. Let L he a propositional modal language, an accessibility relation 
formula w pt w' , where t € MOD, is a binary relation between prefixes ofWc- 

We say that an accessibility relation formula w pt w' is true in a tableau 
branch if it belongs to that branch and, intuitively, this means that in the Kripke 
interpretation associated with that branch (w,w') £ TZt holds. 

Remark 1. Using prefixed formulae is very common in modal theorem proving 
(see [17] for an historical introduction on the topic). We would like to mention 
the well-known prefixed tableau systems in [14] and the TABLEAUX system in 
[8]. In [14], differently than here and [26,8], a prefix is a sequence of integers 
which represents a world as a path from the initial world to it. As a result, 
instead of representing explicitly worlds and accessibility relations of a Kripke 
interpretation in a graph, by means of the accessibility relation formulae, [14] 
represents them by a set of paths, which can be considered as a spanning tree of 
the graph. Similar ideas are also used by other authors, such as the proposals in 
[25,18,32,9]. 

In order to simplify the presentation of the calculus we use the well-known 
uniform notation for signed formulae [14] (see Fig. 1). In the following, we will 
often use a, (3, ly*, and tt* as formulae of the corresponding type. 

A tableau is a labeled tree where each node consists of a prefixed signed formula 
or an accessibility relation formula. It is an attempt to build an interpretation in 
which a given formula is satisfiable. Starting from a formula tp, the interpretation 
is progressively constructed applying a set of extension rules, which reflect the 
semantics of the considered logic. At any stage, a branch of a tableau is a partial 
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a 


ai 


C^2 


P 


Pi 




T(<p A f)) 


Tp 


TV 


F{ifi A Ip) 


Ftp 


Fip 


A 




7T^ 


TlO 


F(y> V tp) 


Fip 


Ftp 


T{(fiVip) 


Tp 


Tip 


T{{t]p) 


Tp 


F([tV) 


Fp 


F(33 ^ V>) 


Tp 


Fip 


T(<p D Ip) 


Fp 


Tip 


F{{t)p) 


Fp 


T{{t)p) 


Tp 


F(^p) 


Tp 


Tg> 


TAA 


Fp 


Fp 











Fig. 1. Uniform notation for propositional signed modal formulae. 



description of an interpretation. In our case, the tableau method tries to build 
Kripke interpretations, one for each branch: the worlds are formed by the prefixes 
that appear on the branch, the accessibility relations for the modalities are given 
by means of the accessibility relation formulae, and the valuation function is 
given by means of the prefixed signed atomic formulae. 

Now, we can present the set of extension rules. We say that a prefix w is 
used on a tableau branch if it occurs on the branch in some accessibility relation 
formula, otherwise we say that the prefix w is new. 

Definition 3 ((Extension rules)). Let L he a modal language and let A be a 
set of inclusion axioms, the extension rules for are given in Fig. 2. 



w : g 
w : a\ 
w : «2 



a-rule 



w : P 

w ■. P\ \ w ■. P2 



/3-rule 



w : A w pt w' 
w' : Vo 



v-Tu\e 



w : A 

— : T- TT-rule 

w : tvq 

w pt w' 

where w' is new on the branch 



W Psi Wl ■ ■■ Wm-l Psm A 
w pti w'l 



p-rule 



w'„-l Pt„ w' 

where w[, ... , w(,_i are new on the branch 
and [ti] . . . [tn\ip D [si] . . . [sm](p ^ A {n > 0 and m > 0) 



Fig. 2. Tableau rules for propositional inclusion modal logics. 



The interpretation of the different kinds of extension rules is rather easy 
taking into account the possible-worlds semantics. The rules for the formula of 
type a and /3 are the usual ones of the classical calculus. 
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A formula of type is true at world w if Vq is true in all worlds w' accessible 
from w by means of t. Therefore, li w : v* occurs on an open branch, we can add 
w' : Vq to the end of that branch for any w' which is accessible from w by means 
of TZt (such that w pt w' is true on that branch) . 

A formula of type tt* is true at the world w if there exists a world w' accessible 
from w at which tTq is true. Therefore, if w : tt* occurs on an open branch, we 
can add w' : ttq to the end of that branch, provided w' is new and w pt w' is 
true on it. 

The intuition behind p-rule is quite simple. Let us suppose, for instance, 
that [ti] . . . [tn]<p D [si] . . . [sm]^ G ^ is an axiom of our grammar logic 
If w psi wi, Wm-i Psm on a branch, then (w,wi) G 'R-si, ■■■, 

(wm-i,w') G in the Kripke interpretation associated with that branch. 

Since [ti] . . . [tn]p D [si] . . . [sm]^ G A then, the corresponding inclusion pro- 
perty (2) must holds. Thus, we can add the formulae w pt^ . . . , w'^_i pt^ w' 
to that branch. Moreover, in the case of m = 0 we can always add the formulae 
w pti w'l, . . . , w'„_i pt„ w, for every world constant w, provided that w[, . . . , 
w'n-i c^re new on the branch. 

Remark 2. It is worth noting that the p-rule works for the whole class of gram- 
mar logics. Nevertheless, the proposed tableau could be easily extended in order 
to deal with modal logics which are different than those we have considered. 
By introducing new rules, which operate on accessibility relation formulae, one 
could also deal with multimodal logics characterized by serial, symmetric, and 
Euclidean accessibility relations [2] . 

We say that a tableau branch is closed if it contains w : Tip and w : Fp for 
some formula p. A tableau is closed if every branch in it is closed. Finally, let 
£ be a modal language, A a set of inclusion axioms, and p a formula. Then a 
closed tableau for i : Fp obtained by using the tableau rules of Fig. 2, is said to 
be a proof oi p. 

Theorem 1. Let he grammar logic then, a formula p of £ has a tableau 
proof if and only if it is A-valid. 

Due to space limitation we do not present here the proof of Theorem 1 but 
it follows the well-known guideline of [14,25,17] and it can be found in [2]. 

Example 2. In Figure 3 we have reported the proof of the first conjunct of the 
formula [j][p]appointment A [p][j]appointment of Example 1. We denote with 
“a” and “b” the two branches which are created by the /3-rule at step 13., “c” 
and “d” the two ones created by the /3-rule at step 14b., “e” and “f” the two ones 
created by the /3-rule at step 17d. Moreover, to save space, we use “ap” instead 
of appointment, “tm” instead of time, and “pi” istead of place. The explanation: 
1., 2., 3., and 4-' formula (1), (2), (3), and (4); 5.: goal, formula (5); 6. and 7.: 
from 5., by 7r-rule; 8. and 9.: from 6., by 7r-rule; 10. and 11.: from 7. and 9., by 
Ai and p-rule; 12.: from 4. and 10., by i^-rule; 13.: from 12. and 11., by i^-rule; 
14a. and 14b: from 13, by /3-rule, branch “a” closes; 15c. and 15d.: from 14b., by 
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/3-rule; 16c.\ from 3. and 10., by i/-rule; 17c.: from 16c. and 11., by :^-rule, branch 
“c” closes; 16d.\ from 10., by axiom Aq and 7r-rule; J7d.: from 2. and 16d., by 
i^-rule; J8e. and 18f: from 17d., by /3-rule; 19e.: from 18e. and 11., by i^-rule, 
branch “e” closes; 19f. and 20f.: from 18f., by 7r-rule; 21f.: from 10. and lOf., by 
axiom and p-rule; 22f.: from 1. and 21f., by j^-rule, branch “f” closes. 



1. i : T[p]tni 

2. i : T[w{p)]{[p]t7n D [j]t7n) 

3. i: T[p][j]pl 

4. i : T[p][j](pZ A tm D ap) 

5- i ■■ F[j][p]ap 

6. wi : F[p]ap 

7. i pj Wi 

8. W2 : Fap 

9 . Wl pp W2 

10. i pp W3 

11. wa Pj W2 

12. wa : T[ji](pZ A tm D ap) 
T{pl A tm D ap) 

” 14b. W2 

15c. W2 
16c. W3 
17c. W2 

X 



13. W2 
14a. W 2 : Tap 

X 




F(pZ A tm) 
Fpl 

nj]pi 

Tpl 



15d. W 2 : Ftm 

16d. i p„(p) Wa 

17d. Wa : T([p]im D [j]tm) 

18e. Wa : 'T[j]tm 18f. wa : F[p]lm 

Tim 19f. W 4 : Ftm 

20f. Wa Pp W4 

21f. i Pp W4 

22f. W 4 : Tim 

X 



19e. W 2 

X 



Fig. 3. p-rule as rewriting rule: counter-model construction of Example 1. 



The p-rule can be regarded as a rewriting rule which creates new paths among 
worlds according to the inclusion properties of the grammar logic. In fact, given 
a tableau branch S', let wg and w„ two prefixes used on S, a path ^{wg, Wn) is a 
collection {wq pt^ w\, wi pt^ W 2 , ■ ■ ■ , Wn-i Pt„ Wn} of accessibility relation for- 
mulae in S. We say that the path ^{wg, Wn) directly p-derives the path ^'{wg, w„) 
if the path Wm) is obtained from ^{wg, Wm) by means of the application of 

a p-rule to a subpath of ^(wq, w„). The relation p-derive is the reflexive, transi- 
tive closure of the relation directly p-derive. For instance, let us consider Fig. 3. 
Then, the path ^i{i,W 2 ) = {i pj w\, wi pp W 2 } directly p-derives the path 
^ 2 ( 1 , W 2 ) = {i Pp wg, wg Pj W 2 }, and p-derives the path ^3(1, W2) = {i Pwp wg, 
wg Pj W2}. 

For a path ^{wg,Wn) = {wq pti Wi, ..., Wp-i Pt„ Wp}, we denote by 
^{wg, Wn) the word ti - ■ ■ tn- It is worth noting that for a grammar logic ba- 
sed on a grammar G, if ^(wq, w„) is a path occurring in a tableau branch, then, 
^(wg,Wn) p-derives a path ^'(wg,w„) if and only if^'{wg,Wn) ^{wg,Wn). 
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4 Undecidability Results for Grammar Logics 

The tableau method developed in the previous section allows to generalize the 
correspondence between the membership problem for a given grammar and the 
validity problem in the corresponding grammar logic established by Farinas del 
Cerro and Penttonen in [11]. 

Theorem 2. Given a grammar G = {V,T, P, S) , let he the grammar logic 
based on G. Then, for any propositional variable p of L, [5'jp D [si] . . . [sm]p 
if and only if S Si • • • Sm, where the Si ’s are in V UT. 

Proof. (If) Let us suppose that |=^ [S'jp D [si] . . . [sm]p, then, the tableau star- 
ting from i : F([S']p D [si] . . . [sm]p) closes. Now, by applying the /3-rule we 
obtain: i : T[S']p, i : F[si] . . . [sm]p, and m times the rr-rule: w\ : F[s 2 ] ■ • • [sm]p, 
i psi wi, Wm '■ Fp, and Wm-i Psm Since, by hypothesis, the above 
tableau closes, the only way for this to happen is that after a finite number of 
applications of the p-rule we have the prefixed signed formula Wm ■ Tp in the 
branch. This happens if the path f^{i,Wm) = {i Psi wi, Wm-i Psm Wm} 
p-derives the path f'{i,Wm) = {* Ps Wm}, that is, if there exits a derivation 
f'{i, Wm) Wm)- (Only if) Assume S si • • • Sm- Since a systematic at- 

tempt to prove i : F([S']p D [si] . . . [smjp) generates a path f{i, Wm) = {i Psi Wx, 
Wm-i Psm and f{i, Wm) /9-derives the path £,'{i, Wm) = {* Ps Wm}, after 
a finite number of steps the only branch of the tableau closes by Wm ■ Tp and 
Wm ■ Fp. 

It is well known that the problem of establishing if a word belongs to the 
language generated by an arbitrary type-0 grammar is undecidable [21]. Hence, 
we have the following corollary. 

Corollary 1. The validity problem for the class of grammar logics is undecida- 
hle. 



Indeed, this result has already been shown in [11]. However, Farinas del 
Cerro and Penttonen do not prove Theorem 2 for the type-0 grammars but 
for a more restricted class of the grammar logics, that they call Thue logics 
because they are based on the Thue systems [6]. A Thue system is a type- 
0 grammars whose productions are symmetric and, thus, the Thue logics are 
grammar logics characterized by axiom schemas where the implication is replaced 
by the biimplication. In [11] the undecidability of grammar logics is proved by 
showing that the Thue logics are undecidable. In fact, since the membership 
problem for the Thue systems is undecidable, proving that a formula is a theorem 
of a Thue logic is also undecidable.^ 

® The Thue systems have also been used in [24] to define logics similar to those studied 
in [11], which, however, are not in the class on grammar logics since modalities enjoy 
some further properties like seriality and determinism. In [24] undecidability results 
are proved for this class of logics. 
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In [11] some problems are left open. In particular, it is not established whether 
more restricted classes of grammar logics, such as context sensitive, context-free, 
regular modal logics are decidable. In the following, we show that also the class 
of context sensitive and context-free modal logics are undecidable by reducing 
the solvability of the problem Li fl L2 0 (where Lx and L2 are languages) to 
the satishability of formulas of context sensitive and context-free modal logics. 

Theorem 3. Let G\ = Pi, Si) and G2 = (V 2 , 12 , P 2 , 5'2) be two gram- 

mars such that Ih n V2 = 0 and Ti = T2 yf 0. Then, there exists a grammar logic 

and a formula gn of X. such that \=ji ip if and only if L{Gi) IT L{G2) yf 0. 

Proof. Let us dehne a grammar G = (V,T,P,S), where V = ViUV2U{S'}, 
T = Ti = T2, P = PiD P2U {S ^ t, S ^ S t \ t G T}, and S ^ Vi und S ^ 1/2- 
Then, we assume as X^ the inclusion modal logic based on G and we consider 
the formula ipT^fi) = !\teT((^)d X [S'](t)<;) where q G VAR. A tableau starting 
from i : T(Pt(q) is formed by only one branch that goes on forever. It is easy 
to see that for each word x G T* the tableau branch contains a path ^{i,w) 
such that f{i,w) = x. Now, let us dehne (p = <PT{q) T ([S'!]?? D (S2)p), where 
p,q G VAR and p ^ q. {If) Suppose that \=ji p> then, the tableau starting from 
1. i : F{px{q) X> ([<S'i]p D (S2)p)) closes. Now, by applying twice the /3-rule we 
obtain: 2. i : Tipxiq), 3. i : T[S'i]p, and 4. i : F(S'2)p. Since the above tableau 
must close, the only way for this to happen is that after a hnite number of steps 
we must have a pair of prehxed signed formulae w : Tp and w : Fp, for some 
prehx w and, therefore, a path f{i,w) that p-derives both the path fi{i,w) = 
{i psi ru} and the path f,2{i,w) = {i ps^ w}. Thus, there is a derivation of 
^{i,w) both from fi{i,w) = Si and from £^2{i,w) = S2 {Si ^{i,w) and 
{S2 f,{i,w)), i.e. ^{i,w) G L{Gi) T L{G2). {Only if) Assume that Si =^Gi ^ 

and S2 =^g 2 some x GT* . Since a systematic attempt to prove the formula 
i : T(fT{q) can generate a path ^{i,w), for some prehx w, such that ^{i,w) = y, 
for any y G T* , after a hnite number of steps we have a path f'{i,w') such 
that £^'{i,w') = X. Thus, we have also the paths f'i{i,w') = {i ps^ w'} and 
£,2{hw') = {i PS2 by application of the p-rule for a hnite number of times. 
This is enough to close the only branch of the tableau by w' : Tp and w' : Fp. 

It is well known that, given two arbitrary type-1 (type-2) grammars Gi and 
G2, it is undecidable if L{Gi) T L{G2) yf 0 [21]. Hence, we have the following 
corollary. 

Corollary 2. The validity problem for the class of context sensitive and context- 
free modal logic is undecidable. 

5 A Decidability Result for Grammar Logics 

In the previous section we have shown that it is not possible to supply a general 
decision procedure for the class of unrestricted, context sensitive and context- 
free modal logics. In this section, instead, we give a decidability result for right 




54 



M. Baldoni, L. Giordano, and A. Martelli 



regular grammar logics, that is, those ones whose productions are of the form 
A ^ a A' , where A, A' are variables and a a string of terminals. 

Definition 4. Let G = {V,T, P, S) be a right type-3 grammar and let A he a 
variable. Then, a derivation of a sentential form aX from is said to he non- 
recursive if and only if each variable of V appears in the derivation, apart from 
aX , at most once. 



Proposition 1. Let G = (V,T,P,S) be a right type-3 grammar, let Aq be a 
variable and let Aq a\ ■ ■ ■ a„An cti • • • be a derivation, 

where either A„+i € V or A„+i € T and Ai — >■ ai+iAi+i G P, for i = 0, . . . ,n. 
Then, there exists a non-recursive derivation Aq cr<j„+iA„+i, for some a G 



Proposition 2. Let G = {V, T, P, S) be a right type-3 grammar. Then, the num- 
ber of different non-recursive derivation by means of G is bounded by derg = 
\V\ ■ where n is the maximum number of production associated to a 

same variable ofV. 

The proofs of the proposition above are simple and they can be found in [2] . 

Let G = {V,T,P, S) be a right type-3 grammar and the regular inclusion 
modal logic based on G. Then, we define the Fischer-Ladner closure FL{ip) of 
a formula tp oi C (that only uses existential modal operators, or, and negation^) 
as follows: 

— ii ipy if' G FL{p) then ip G FLfp) and ip' G FL{p); 

— if -<ip G FL{p) then ip G FL(p); 

— if (t)ip G FL{p) and t GT then ip G FL{p); 

— if {A)ip G FL{p), A G V, and there is a non-recursive derivation A 

• • • tnX, where ti, . . . , G T and either X G TAV, then (ti) . . . {tn){X)ip 

G FL{p). 

By Proposition 2 and the fact that p has finite length, the Fischer-Ladner 
closure is finite for any formula of a right regular modal logic. Consider a 
Kirpke ^-interpretation M = {W, {Rt \ t G MOD}, V) and a formula p of L, 
we define an equivalence relation = on state of W by: w = w' if and only if 
for all Ip G FL{p) we have M, w |=^ ip iff M, w' ip (we use the notation 
w for this equivalence class). The quotient Kripke M-interpretation = 

I ^ g (the filtration of M through FL{p)) is 

defined as follows: 

— = {w\wGWy, 

Note that, every sentential form derived from A has the form aX, where a G T* 
and either X G T or X G V. 

® Since all other connectives can be defined in terms of these, this is not a restrictive 
condition. 
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— = V{w,p), for any p G VAR and w G 

- 3 {(u;^^(7) g X I {w,w') G TZt}. 

Moreover, is closed with respect to the inclusion axioms, that is, 

for each inclusion axiom [t]a D [si] . . . [sm]o if (wo,wi) G ..., 

(wm-i,uVf) G then the pair {wq^w^) belongs to 

The following lemma states that when we insert any extra binary relation 
between w and w' in a accessibility relation of in order to 

satisfy the relative set of inclusion properties, it is not the case that there was 
any {t)xp G FL{p) which was true at w while 4) itself was false at w' [22]. 

Lemma 1. For all V' = G FL{(p), if (w,w') G and M,w' \=j^ ip' 

then M,w |=xi {t)ip' ■ 

Proof. Assume that ip = {f)ip' G FL{p) then ip' G FL{p) by definition of the 
closure. Now, there are two cases which depend on whether (W,w') G 
has been added to originary definition of filtration because an inclusion axiom 
of the form [t]a D [si] . . . [smja G A or not. 

Assume that it has not been added. Since by definition of there exist 

wi, w'l&W such that G TZt, wi = w, and w[ = w' . Since M,w' \=ji, ip' , 

M,w'i 1=^ -ip' because -ip' G FL{p) and w' = w'l. Hence, M,w\ |=_4 {f)'tp' because 
(■u;i,'u;i) G TZt- Finally, M,w |=^ {t)p}' since {f)%p' G FL{ip) and w = w' . 

Assume that {w,w') G TZ^^^'^^ but {w,w') ^ TZt- The pair {w,w') has been 
added in TZt^^^'^ by the closure operation in order to satisfy an inclusion property 
of an inclusion axiom of the form \t]a D [si] . . . [s^ja G A. Then, there exist vJT, 
. . . , Wjn-i such that (wo,wT) G TZfj^^'^\ . . . , {wm-i,Wm) G where Wq 

is w and Wm is w' . Now, in turn, for each (rci_i, wi) G TZf/"^‘^\ for i = 1, ... ,n, 
either the pair (wi-i,wi), has been added by the closure operation or not. Going 
on this way, we have (uo)Fi) G TZt^^'^\ . . . , {vh-i,Vh) G TZt^^‘^'^ such that the 
corresponding pairs belong to TZt and t ti ■ ■ ■ th, vq is wq (that, in turn, is 
w), and Vh is Wm (that, in turn, is w'). By construction, there exist v[_i,v" G W 

such that (u(_i, u") G TZf^^‘^'^ and Uj_i = v't_i and Vi = v" , for i = 1, . . . , /i. 

Assume that t t\ - ■ - th is the derivation Aq ctiAi 
( 7i • • • ct„A„ CTi • • • cr„cr„+i, where Aq is t and A„ -)> cr„+i and Ai_i -)> a^Ai, 
for i = 1, . . . , n, are in P, and that a„+i is d\ ■■■ dr (= th-r+i ■ ■ ’th). We know 
M, Vh \=A and we have to prove that M, Vh-r+i \=A (di) ■ • ■ {dr)ip' . Assuming 
that (di) . . . {dr)tp' G FL{(p) then, we have that M, v'f \=a ip' since Vh = v'f and 
-ip' G FL{ip). Since G TZt^ and M,u(( \=a V’' then, {dr)tp' 

and, since {dr)ip' G FL{p) and we have that M, |=^ {dr)ip'. 

We can proceed so on until we have M, |=^ (di) . . . {dr)ip' and M, Vh-r+i 

H.A (di) . • . {dr)ip' since Vh-r+i = Now, since the inclusion axiom [A„]a 

D [di] . . . [dr]a belongs to A, M,Vh~r+i \=A {An)P^' ■ We can repeat the above 
argumentation for all derivation steps from Aq obtaining M,w |=^ {Aq)^)' . 

We have now to prove that (di) . . . {dr)ip' G FL{(p). By hypothesis {Aq)'iP' G 
FL{p) (Ao is t) and Aq cti • • • ct„ct„+i. Then, by Proposition 1, there exists 
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a non-recursive derivation Aq aa„+i, for some cr G T*. By definition of 
Fischer-Ladner closure, since {Ao)ip' G FL{ip), we have {t[) . . . (t^/)(di) ■ • ■ {dr)ip' 
G FL{(fi), where cr is t ^ and cr„_|_i is di ■ ■ ■ dr, and, hence, (di) . . . {dr)4>' 

G FL{^). 

Lemma 2 (Filtration Lemma). For all ip G FL{(f), M,w r/i if and only 

h.AV'- 

Proof. The proof is by induction on the structure of if. {Base step) For if G VAR 
the thesis holds trivially. {Induction step) The cases if = if'Vif” and if = -'if' are 
immediate from the definitions. Assume that if = {t)if' . {If) If M,w \=ji, {t)if' 
then there exists w' such that M,w' \=A'f’' and {iv,w') G TZt. By definition, 
we have {w,w') G and, by induction hypothesis, \=A'f’'- 

Hence |=_4 {t)if' . {Only if) If |=^ then, there exists 

w' G such that if' and {w,w') G By inductive 

hypothesis, we have that M, w' \=a 'f’’ and, by Lemma 1, since {w, w') G 
M,w h.4 {t)if'- 



Theorem 4 (Small Model Theorem). Let ip be a satisfiable formula of a 
grammar logic based on a type-3 grammar G. Then, <p is satisfied in a Kripke 
A-interpretation with no more that states. 

Proof. If ip is satisfiable, then there is a Kripke .4-interpretation M and a state 
w in M such that M,w \=a P- Let FL{p) be the Fischer-Ladner closure of p. 
By Lemma 2, \=a P- Moreover, since, by Proposition 2, \FL{p)\ is 

bounded, the filtration through FL{p) is a finite Kripke interpretation having 
at most worlds, that being the maximum number of ways that worlds 

can disagree on sentences in FL{p). 

Each right regular modal logics, by Theorem 4, is determined by a class of 
finite standard Kripke interpretations and, hence, it has the finite model property 
[22]. Then, we have the following corollary. 

Corollary 3. The validity problem for the class of right regular modal logics is 
decidable. 

6 Discussion and Related Work 

In this paper we have established some undecidability results for multimodal 
logics, reducing well-known unsolvable problems of formal languages to satisfia- 
bility problems of multimodal systems by means of a tableau calculus based on 
prefixed formulas. Moreover, the decidability of the class of multimodal logics 
based on right regular grammars has been proved using the filtration method 
introduced by Fischer and Ladner in [12]. 
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In order to have a general framework able to cope with any kind of grammar 
logics, we have chosen the simplest way of representing models: prefixes are 
worlds, and relations between them are built step by step by the rules of the 
calculus. In particular, axioms are used as rewrite rules which create new paths 
among worlds. 

This approach is closely related to the approaches based on prefixes used by 
Fitting and other authors for classical modal systems (non-multimodal) [14,25, 
9] . There, prefixes are sequences of integers which represent a world as a path in 
the model that goes from the initial world to it. Thus, instead of representing a 
model as a graph, as in this paper, a model is represented as a set of paths, which 
can be considered as a spanning tree of the graph. Although this representation 
may be more efficient, it requires a specific i/-rule for each logic. Properties of 
accessibility relations are coded in these rules, and thus, depending on the logic, 
the i^-rules may express complex relations between prefixes, which instead in our 
case are explicitly available from the representation. Massacci [25] has proposed 
a “single step calculus” , where j^-rules make use only of immediately accessible 
prefixes. His approach works for many logics, but it still requires the definition 
of specific j/-rules. 

Besides the disadvantage of requiring specific i^-rules and the fact that they 
do not work with multimodal systems, we think that though the approach based 
on prefixes as sequences might be adapted for some subclasses of grammar logics 
it is difficult to extend it to the whole class. In particular, it can be shown that, 
for some grammar logic, a “generation lemma” like those used in [25,17], does not 
hold, i.e. it is not true that, for any prefix occurring on a branch, all intermediate 
prefixes occur too. Let us consider, for instance, the derivation of Example 1. 
We can image to use the prefix 1.1^. Ip to represent the world W 2 - Now, by 
applying axiom A\, the same world can also be represented with the sequence 
l.lp.lj, whose subprefix l.lp does not occur on the branch. On the other hand, 
this subprefix is needed in order to conclude with success the proof. Moreover, 
adding exsplicitly the subprefixes, as the one above, is not enough to solve the 
problem, since all prefixes representing the same world have to be identified. 
Similar consideration can be done for the proposals in [18,32]. 

The proposals in [18,32,5] address the problem of an efficient implementation 
of the tableau calculi for a wide class of modal logics. They generalize the prefixes 
by allowing occurrences of variables and they use unification to show that two 
prefixes are names for the same world. While a straightforward implementation 
of our calculus is unlikely to be efficient, the generality of the approach makes 
it suitable to study the properties of different classes of logics. 

Instead of developing specific proof techniques for modal logics, some aut- 
hors have proposed the alternative approach of translating modal logics into 
classical first order logic [29] . The translation methods are based on the idea of 
making explicit reference to the worlds by adding to all predicates an argument 
representing the world where the predicate holds, so that the modal operators 
can be transformed into quantifiers of classical logic. In particular, the functio- 
nal translation [30,1] is based on the idea of representing paths in the possible 
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worlds structure by means of compositions of functions which map worlds to 
accessible worlds. An advantage of this approach is that it keeps the structure of 
the original formula. However the approach is suitable mainly for serial logics, 
for which optimization technique have been studied [28,15], and it requires a 
different equational unification algorithm for each logic. A way to avoid equa- 
tional reasoning while retaining the advantages of the functional translation has 
been developed by Nonnengart [27]. Gasquet in [15] deals with the same class of 
multimodal logics we have presented, where, however, the seriality is assumed 
for each modal operator. 

Though in this paper we have focused on a propositional language, the ta- 
bleau calculus we have proposed can be naturally extended to the first order case 
by introducing the usual rules for quantifiers. Moreover, it can be extended to 
deal with a wider class of logics. In particular, in [2] a tableau calculus is deve- 
loped for the class of multimodal logics characterized by “a, b, c, d-incestuality” 
axioms (defined by Catach in [7]) and, then, as a special case, also for the mul- 
timodal logics characterized by serial, symmetric, and Euclidean accessibility 
relations. 



Acknowledgments. The authors would like to thank the referees for the pre- 
cious advice. 



References 

1. Y. Auffray and P. Enjalbert. Modal Theorem Proving: An equational viewpoint. 
Journal of Logic and Computation, 2(3):247-297, 1992. 

2. M. Baldoni. Normal Multimodal Logics: Automatic Deduction and Logic Program- 
ming Extension. PhD thesis, Dipartimento di Informatica, Universita degli Studi 
di Torino, 1998. 

3. M. Baldoni, L. Giordano, and A. Martelli. A Multimodal Logic to define Modules 
in Logic Programming. In Proc. of ILPS’93, pages 473-487. The MIT Press, 1993. 

4. M. Baldoni, L. Giordano, and A. Martelli. A Framework for Modal Logic Pro- 
gramming. In Proc. of the JICSLP’96, pages 52-66. The MIT Press, 1996. 

5. B. Beckert and R. Gore. Free Variable Tableaux for Propositional Modal Logics. 
In Proc. of TABLEAUX’97, volume 1227 of LNAI, pages 91-106. Springer- Verlag, 
1997. 

6. R. V. Book. Thue Systems as Rewriting Systems. Journal of Symbolic Computa- 
tion, 3(l-2):39-68, 1987. 

7. L. Gatach. Normal Multimodal Logics. In Proc. of the AAAI ’88, pages 491-495. 
Morgan Kaufmann, 1988. 

8. L. Catach. TABLEAUX: A General Theorem Prover for Modal Logics. Journal of 
Automated Reasoning, 7(4):489-510, 1991. 

9. G. De Giacomo and F. Massacci. Tableaux and Algorithms for Propositional 
Dynamic Logic with Converse. In Proc. of CADE-15, volume 1249 of LNAI, pages 
613-627. Springer, 1996. 

10. P. Enjalbert and L. Farinas del Cerro. Modal Resolution in Clausal Form. Theo- 
retical Computer Science, 65(l):l-33, 1989. 




A Tableau Calculus 



59 



11. L. Farinas del Cerro and M. Penttonen. Grammar Logics. Logique et Analyse, 
121-122:123-134, 1988. 

12. M. J. Fischer and R. E. Ladner. Propositional Dynamic Logic of Regular Programs. 
Journal of Computer and System Sciences, 18(2):194-211, 1979. 

13. M. Fisher and R. Owens. An Introduction to Executable Modal and Temporal 
Logics. In Proc. of the IJCAI’93 Workshop on Executable Modal and Temporal 
Logics, volume 897 of LNAI, pages 1-20. Springer- Verlag, 1993. 

14. M. Fitting. Proof Methods for Modal and Intuitionistic Logics, volume 169 of 
Synthese library. D. Reidel, Dordrecht, Holland, 1983. 

15. O. Gasquet. Optimization of deduction for multi-modal logics. In Applied Logic: 
How, What and Why? Kluwer Academic Publishers, 1993. 

16. M. Genesereth and N. Nilsson. Logical Foundations of Artificial Intelligence. Mor- 
gan Kaufmann, 1987. 

17. R. A. Gore. Tableaux Methods for Modal and Temporal Logics. Technical Report 
TR-ARP-16-95, Automated Reasoning Project, Australian Nat. Univ., 1995. 

18. G. Governatori. Labelled Tableaux for Multi-Modal Logics. In Proc. of TA- 
BLEAUX ’95, volume 918 of LNAI, pages 79-94. Springer- Verlag, 1995. 

19. J. Y. Halpern and Y. Moses. A Guide to Completeness and Complexity for Modal 
Logics of Knowledge and Belief. Artificial Intelligence, 54:319-379, 1992. 

20. D. Harel, A. Pnueli, and J. Stavi. Propositional Dynamic Logic of Nonregular 
Programs. Journal of Computer and System Sciences, 26:222-243, 1983. 

21. J. E. Hopcroft and J. D. Ullman. Introduction to automata theory, languages, and 
computation. Addison- Wesley Publishing Company, 1979. 

22. G. E. Hughes and M. J. Cresswell. A Companion to Modal Logic. Meuthuen, 1984. 

23. G. E. Hughes and M. J. Cresswell. A New Introdueiton to Modal Logic. Routledge, 
1996. 

24. M. Kracth. Highway to the Danger Zone. Journal of Logic and Computation, 
5(1):93-109, 1995. 

25. F. Massacci. Strongly Analytic Tableaux for Normal Modal Logics. In Proc. of 
the CADE’94, volume 814 of LNAI, pages 723-737. Springer- Verlag, 1994. 

26. A. Nerode. Some Lectures on Modal Logic. In F. L. Bauer, editor. Logic, Algebra, 
and Computation, volume 79 of NATO ASI Series. Springer- Verlag, 1989. 

27. A. Nonnengart. First-Order Modal Logic Theorem Proving and Functional Simu- 
lation. In Proc. of IJCAF93, pages 80-85, 1993. 

28. H. J. Ohlbach. Optimized Translation of Multi Modal Logic into Predicate Logic. 
In Proc. of the Logic Programming and Automated Reasoning, volume 822 of LNAI, 
pages 253-264. Springer- Verlag, 1993. 

29. H. J. Ohlbach. Translation methods for non-classical logics: An overview. Bull, of 
the IGPL, l(l):69-89, 1993. 

30. H.J. Ohlbach. Semantics-Based Translation Methods for Modal Logics. Journal 
of Logic and Computation, l(5):691-746, 1991. 

31. M.A. Orgun and W. Ma. An overview of temporal and modal logic programming. 
In Proc. of the First International Conference on Temporal Logic, volume 827 of 
LNAI, pages 445-479. Springer- Verlag, 1994. 

32. J. Pitt and J. Cunningham. Distributed Modal Theorem Proving with KE. In Proc. 
of the TABLEAUX’96, volume 1071 of LNAI, pages 160-176. Springer- Verlag, 
1996. 

33. M. Wooldridge and N. R. Jennings. Agent Theories, Architectures, and Languages: 
A survey. In Proe. of the ECAI-94 Workshop on Agent Theories, volume 890 of 
LNAI, pages 1-39. Springer- Verlag, 1995. 




Hyper Tableau — The Next Generation 



Peter Baumgartner* 



Universitat Koblenz • Institut fiir Informatik 
Rheinau 1 • D-56075 Koblenz • Germany 
peterOinf ormatik .uni-koblenz . de 



Abstract. “Hyper tablean” is a sound and complete calculns for first- 
order clausal logic. The present paper introdnces an improvement which 
removes the major weakness of the calculus, which is the need to (at 
least partially) blindly gness ground-instantiations for certain clauses. 
This guessing is now replaced by a unification-driven technique. 

The calculus is presented in detail, which includes a completeness proof. 
Completeness is proven by using a novel approach to extract a model 
from an open branch. This enables semantical redundancy criteria which 
are not present in related approaches. 



1 Introduction 

In [BFN96] a clausal normal form tableau calculus called “hyper tableau” was in- 
troduced. This calculus was motivated by the possibility to keep many desirable 
features of analytic tableaux (such as a model construction for an open branch, 
branch-local and thus space-efficient clause generation and taking advantage of 
the rich structure of tableaux), while also taking advantage of the central idea 
from (positive) hyper resolution, namely to resolve away all negative literals of a 
clause in a single inference step. Unlike other tableau calculi, and similar to re- 
solution calculi, hyper tableau permit a systematic branch saturation approach; 
a hyper tableau proof procedure thus does not have to start with a new tableau 
from scratch once the ressources are exhausted on the current tableau during 
itertive deepening. 

Variants of (ground) hyper tableaux have been used for efficient minimal 
model reasoning [Nie96], for diagnosis applications [BFFN97] and to compute 
database updates [AB97]. Hyper tableau like calculi have been also applied in 
provers like SATCHMO [MB88,LRW95] and the MGTP system [FH91]. Howe- 
ver, these calculi ground-instantiate all clauses during the tableau construction. 

The hyper tableau calculus of [BFN96] improves on this by allowing branch- 
local universally quantified variables. Consider for instance, a disjunction p(x, t/)V 
q{x). When brought into the tableau, however, a ground instance for the variable 
X has to be guessed, say /(a), because x appears in more than one positive lite- 
ral. Hence extension with p{f{a),y) V q{f{a)) would be carried out. In general, 
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all ground instantiations of the clause have to be enumerated and brought into 
the tableau. But notice that this still improves on e.g. SATCHMO because y is 
universally quantified in p{f{a),y), and e.g. the unit clause p{f{a),b) would be 
subsumed and hence is redundant. The benefit of this use of universal variables 
was also demonstrated in [BFN96]. 

The purpose of the present paper is to describe an improvement of the hyper 
tableau calculus, such that its major weakness is eliminated, namely the gues- 
sing of ground instantiations for variables occurring in more than one positive 
literal. In order to achieve this, ideas from instance-generating calculi like Lee 
and Plaised’s hyper-linking [LP92] and Billons disconnection calculus [Bil96] are 
adapted (differences to these calculi are discussed in Section 7 below). 

The new hyper tableau calculus consists of an interplay between two infe- 
rence rules: the Link rule generates branch-local instances of input clauses in a 
demand-driven way. The clauses generated in this way can be used by the other 
inference rule (the Ext rule) in hyper-resolution like extension steps. An impor- 
tant difference here is that the notion of branch closure is based on variant-ship 
of literals rather than syntactic equality (modulo negation) . 

Completeness is shown by constructing a model from an open branch which 
is closed under application of the inference rules. This construction is loosely re- 
lated to the model-generation approaches for A-ordered tableaux [KH94] and for 
ordered resolution [BG94]. The model construction enables redundancy criteria 
which are not present in related approaches (cf. Section 7). 

The rest of this paper is structured as follows: next we recall some prelimi- 
naries. Then we give a preview of the calculus by stating some examples. Then 
a more technical part comes which describes the calculus formally. Then the 
completeness of an improved version is proven. The last Section comments on 
related work and future improvements. 

2 Preliminaries 

We apply the usual notions of first-order logic, in a way consistent to [CL73]. 
For notions related to tableau calculi in general see [Fit90]; our primary interest 
however is in clausal tableaux similar to those in [LMG94] . 

A clause is a multiset of literals, written as a disjunction AiV- • • V V -■Bi V 

• • • V -'Bn (where m,n > 0 and the A’s and B's are atoms.), or in implication- 
style as Ai, . . . , Am ^ Bi,.--,Bn or A ^ B, where A = {Ai, . . . , Am} and 
B — {Bi, . . . ,Bn}. The literals A are called head literals and the literals B are 
called body literals. Glauses with m > 1 are also called program clauses. 

A (Herbrand) interpretation X (for a given language) is represented as a 
(possibly infinite) set of atoms, such that atom A is true in I iff A G I. As usual, 
X\= X means X is true in X where A is a sentence or set of sentences (interpreted 
conjunctively). In particular, X \= A ^ B lA B^ C X implies Ay fll yf 0 for 
every ground substitution 7 for A ^ B. 

We consider literal trees T, i.e. finite, ordered trees, all nodes of which, except 
the root, are labelled with a literal. If L is a literal then [L] ambiguously denotes 
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some node N in T which is labelled with L. A branch of length n consisting of the 
nodes Ng, Ni, . . . , fV„ with root Nq and leaf Nn is usually written as [Li • . . . • L„] 
where Li is the label of Ni . The letters p and q are branch- valued variables, and 
if p = [Li ■ . . . ■ Ln-i] then p ■ [L„] is the branch [Li ■ . . . ■ L„_i • L„] (we assume 
that [Ln] is a new node) . Any (not necessarily strict) prefix [Li • . . . • Lm] of a 
branch p = [Li ■ ■ Lm ■ Lm+i ■ ... • Ln] is called a partial branch (of p). By [] 

we denote both the root node and the partial branch from the root node to the 
root node. 

Branches may be labelled with a as closed; branches which are not closed 
are open. A tableau is closed if each of its branches is closed, otherwise it is open. 

A literal tree is represented as the set of its branches; branch sets are denoted 
by the letters P, Q. We write P, Q and mean PU Q. Similarly, p, Q means {p}, Q. 
We write X G p iS X occurs in p, where A is a node or a literal label of some 
node in p. 

The extension of p with clause C = Li V ... V Ln, written as p o C, is the 
branch set p ■ [Ti ], . ■ ■ ,p ■ [Ln]- Equivalently, in tree view this operation extends 
the branch p by n new nodes N\ , . . . , iV„ which are labelled with the respective 
literals from C. Here we say that C is the tableau clause of Ni, (for every i, 
1 < i < n). The tableau clause C of W is also denoted by c\{Ni). 

For literals A and B we define A ^ B, A is more general than B, iff there is 
a substitution a a such that AaA = B; A and B are variants, written as A ^ B, 
iff A > B and B ^ A; Ais strictly more general than B, A > B, iS A^ B and 
not A ^ B. B is also said to be a strict, or proper instance of A then. 

3 Informal Description of the Calcnlus 

We want to preview our calculus of hyper tableau. For this we give two examples 
and show hyper tableau derivations. A hyper tableau derivation for a (possibly 
non-ground) clause set C is the construction of a closed clausal tableau (i.e. a 
tableau where every branch is labelled as closed), starting with the tableau which 
consists of the root node only. The tableaux are equipped with branch selection: 
for every open tableau exactly one open branch is selected (arbitrarily), and 
inferences may be carried out to this selected branch only. 

The tableau construction must be fair to the application of the two inference 
rules Ext and Link modulo some redundancy. As usual, this means that every 
possible application of an inference rule must be carried out eventually unless 
shown to be redundant. 

Besides an Init rule to set up the initial tableau, there are two inference rules: 
the Ext and the Link rule. The purpose of the Ext rule is to extend or close the 
selected branch. The Ext rule does not instantiate its “ressources” (i.e. branch 
literals). The purpose of the Link rule is to generate new instances of input 
clauses, so that Ext will be applicable again. Link is in a sense complementary 
to Ext in that at least one of its ressources must be properly instantiated. 

We first consider the Ext rule; its application can be described as follows (cf. 
Def. 3): let p be the selected branch; take a clause A B from the “current 
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clause set” C~ (which is initialised with the given input clause set C), and apply 
to p the P rule with B, i.e. we split the clause below the leaf of p. But this 
is done only if there is a most general substitution a such that every element 
Ba G B(7 is equal to a variant of an literal L from p (see also Def. 3). Then, all 
new branches with leaf -•Ba where Ba G Ba are labelled as “closed”; the new 
branches (if any) with leafs from ^cr are labelled as “open” . If there is an open 
branch in the resulting tableau, select one. 

Some terminology: this occurrence of the clause ^cr ^ Ba is called a tableau 
clause (of every branch passing through one of the literals of Aa G- Ba), and if 
the selected branch passes through a Aa G Aa then we say that Aa is selected 
in Aa G- Ba, which is denoted by sel(^cr ^ Ba) . 



Example 1 (The Ext Inference Rule). Consider the following clause set^ Ci: 

p(x,x)g- (R) 

p{x,y),p{y,z) ^ p{x,z) (T) 

Figure 1 shows a hyper tableau derivation from C\ . There, tableau A is obtained 



from the tableau which consists of the root only (the body literal condition for 
(R) is trivially satisfied); tableau B is obtained from A by extension with (T); 
the substitution cr is {z i-T x}; similarly, C is obtained from B by extension 
with (T) and the empty substitution. 



p{x,x) 





p{x,y) p{y,x) -^p{x,x) 

★ 



p{x,y) p{y,x) ~^p{x,x) 

~k 



p{x,u) p{u,y) ~^p{x,y) 

~k 



Fig. 1. A hyper tableau derivation from Ci ; underlining is used to indicate the selected 
branch and also to indicate the selected literals in the tableau clauses. For convenience 
only the same variable names are used for the tableau clauses; that is, each tableau 
clause is quantified individually. Closed branches are labelled with a *. 



It is fair not to apply the Ext rule any further, because extension with (R) (or 
(T)) would result in a new tableau clause (R) (or (T)) for which there is a variant 
as a tableau clause contained already. Consequently, the derivation stops here, 
because the other inference rule — Link — is not applicable. 

Obviously, the Ext rule alone is not sufficient to achieve completeness, because 
the clause set {p{x) g- , g- p{a)} would admit no refutation. 



^ The letters u, v, w, x, y, z denote variables. 
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The second inference rule of hyper tableau — the Link inference — can be 
described as follows (cf. Def. 3): let p be the selected branch; take a clause 
A B from the current clause set C“, and let cr be a most general multiset 
unifier Ba = {sel(Ci), . . . ,sel(C„)}cr , where the CiS are new variants of some 
tableau clauses of p. Furthermore, in order to avoid overlap with the Ext rule, 
we require that Cia 7 ^ Ci, for some i, 1 < i < n, i.e. at least one Cia must be a 
proper instance of Ci. 

If this holds, then consecutively add Cia, . . . , C„cr to the current clause set 
C~ , except those Cia for which a variant is present already. 

Example 2 (The Link Inference Rule). Consider the following clause set^ € 2 - 



p{x,y), q{x,y) ^ 

^p{y,a) 



(C) 

(D) 

Figure 2 shows a hyper tableau derivation from C 2 . There, tableau A is obtained 
by an Ext step with (C). Now, Ext is not applicable any more, in particular not 
with clause (D). However, p{y,a) unifies with p{x,y), the selected literal in the 
tableau clause p{x, y), q{x, y) ^ (more precisely, we have to take a new variant 
of p{x, y), q{x, y) ^ since variables are shared). Hence a Link step is applicable, 
resulting in the (proper) instance (C') = p{x, a), q{x, a) . This instance (C') is 
added to the current clause set C~. Now, Ext becomes applicable again, resulting 
in the tableau B . Extension with (D) closes the branch, as indicated in tableau 
Now, to the selected branch p in C , Ext need no longer be applied, because 



both (C) and (C') are contained as a tableau clause of p already, and Ext with 
(D) cannot be applied. Further, a Link step with (D) applied to the tableau 
clause (C) p generates only a variant of clause which is already contained in C~, 
namely (C^). Since it is fair never to add variants, the derivation stops now. 



A 


B 


c 


p{x,y) q{x,y) 


p{x,y) q{x,y) 


p{x,y) q{x,y) 


^p{y,a) 


p{x,a) q{x,a) 


p{x,a) q{x,a) 
1 


Link p{x,a), q{ 


X, a) ^ 


~^p{y, a) 

■k 


Fig. 2. 


A hyper tableau derivation from C 2 . 



In this example we left the impression that C is global to the tableau under 
construction. However, below we will define C~ to be branch local as C~(p) 

^ The letters a,b,c, . . . denote constants. 
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such that C (p) contains only those clauses which are in the input clause set 
C or added by Link inferences applied previously to the (not necessarily strict) 
prefixes of p. For instance C~{q), where q is the rightmost branch in C in 
Figure 2, consists of the clauses (C) and (D) only, because (C') was generated 
on a different branch. 

This branch-locality is expected to be important in practice in order to keep 
space consumption low. On the other side, since all generated clauses by Link 
are consequences of the input clause set, it is admissible (sound) to add them in 
any branch as well. 

As a special case note that for the propositional logic. Link is never applicable, 
because Link can only be applied if some tableau clause is properly instantiated, 
which obviously is impossible for the ground case. Hence, Ext alone suffices then. 
Using propositional logic we can also indicate a weakness of this basic version. 
Consider the ground clause set {{A, B (A, C ^ )}. Using Ext two times a 
tableau can be constructed by first extending with A, B -(r- and then below A 
with A, C . Clearly, there should be no need to apply the second Ext step as it 
duplicates the atom A on the branch. Every “serious” calculus prunes such steps. 
For instance, within connection calculi the “regularity check” accomplishes this 
[LMG94] . Within hyper tableau , the “semantical” reason for pruning the second 
step is that we are considering after the first step a model candidate which makes 
A true and hence renders A, C true as well. 

We solve this problem more generally by deriving from the selected branch 
an interpretation I{p) and (among other things) forbid extension with clauses 
which are true in I{p). This technique will be described in Section 5. 

4 Hyper Tableau Calculus 

In this section the inference rules of hyper tableau will be introduced. Then 
fairness of derivations is defined. In the next section fairness will then be refined 
to include a redundancy concept. 

Some preliminaries: we consider literal trees equipped with a branch selection 
function which assigns to every open literal tree one of its open branches. We 
write p, V to indicate that p is selected in the branch set p, V. 

Further, every open branch p is labelled with a finite set of clauses, which is 
denoted by C~{p). Intentionally, C~{p) provides the “current clause set” whose 
members can be used for extension steps (cf. the informal presentation in Sec- 
tion 3). Alternatively, we will also write {p,C~) and mean the branch p with 
C-{p)=C~. _ 

The set C~{p) is complemented by the set C+(p) of tableaus clauses of p, 
i.e. those clauses which were used in extension steps to construct p. Since p is 
a “path” through C'^{p) (in the connection method sense) it is natural that p 
determines a respective selection of head literals of the clauses in C+(p). More 
generally, a clause with selection is a program clause where one of its head literals 
L is labeled (in some distinguished way), and L is called the selected literal, which 
is denoted by sel(C). A clause set with selection consists of clauses with selection 
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only. In order to extract from a branch its clause set with selection we define: 

C+([Li • ... -L„]) = {cl([Li]),...,cl([L„])}, where 
sel(cl([Li])) = Li, for 1 < z < n. 

We indicate selection by underlining, i.e. we write Ai, . . . Ai-i,Ai, Ai+i, Am <— 
Bi , . . . , Bn, where i G to}, and mean sel(yli, . . . , Am ^ B\, . . . , Bn) = 

Ai. 

Two clauses with selection are considered as equal iff they they consist of the 
same literals and the same literals are selected. The qualification “disregarding 
selection” means to read a clause with selection as a clause without selection. 

Two clauses with selection are variants iff they are variants disregarding 
selection; the same holds for the instance relation. 

Definition 3 (Hyper Tableau Inference Rules). The calculus of hyper ta- 
bleau consists of the following inference rules: 

The Init Inference Rule: 

C 

Init 

(D,c-) 

for given finite clause set C without selection, where C~ = C. 

The Ext Inference Rule: 

{p,C-),V Ai^B 

Ext 

p o ({A ^ B)(j), V 

where 

1. p,V is a branch set with selected branch p, and 

2. {A-<^ B) G C~ , and 

3. Cl, . . . ,Cn are new and pairwise disjoint variants from clauses from C^{p), 
with the same selected literals^, and 

j. a is a most general multiset unifier Ba = {sel(C'i), . . . , sel(C'„)}(7, and 

5. Ci ~ Cia, for every i, 1 < i < n, and 

6. every new branch p ■ [-'Bu] G po ((^ ^ B)a), where B G B, is closed, and 
1. every new branch p ■ [Aa] G ((.4 c— B)a), where A G A, is open and C~{p ■ 

[Aaf)=C~. 

The Link Inference Rule: 

{p,C-),V A^B 
{p,C~ UjCiCT, ...,c„cr}), V 

where 

® More precisely: the selected literal of the variant is such that when the variant is 
renamed back to the original clause, the selected literals will be the same. 
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1. p,V is a branch set with selected branch p, and 

2. {A-<^ B) G C~ , and 

3. Cl, . . . ,Cn are new and pairwise disjoint variants from clauses from C^{p), 
with the same selected literals, and 

4-. a is a most general multiset unifier Ba = {sel(C'i), . . . ,sel(C'„)}CT, and 
5. Ci<7 / Ci, for some i, 1 < i < n. 

The I nit inference rule is used to setup an initial tableau consisting of the root 
only. For sample applications of the Ext and Link rules I refer back to Section 3. 

In both Link and Ext, all the body literals B have to be “solved” simulta- 
neously. This similarity to hyper resolution coined the name hyper tableau. 

Notice that by the Conditions 5, the Link and Ext rule are exclusive wrt. the 
same A B, clauses C\, ... ,Cn and cr. 

With the Link inference rule it is not excluded that C~(p) contains multiple 
variants of a clause. As a further improvement it is safe to keep only one variant 
for each clause in C~. 

Definition 4 (Hyper Tableau Derivation). A (hyper tableau) derivation 
from a set of clauses C is a (possibly infinite) sequence Vi, . . . ,'Pn, ■■■ of branch 
sets ( each element is also called a hyper tableau (for C) ), such that 

1. Vi is obtained by an application of the Init inference rule to C, and 

2. for i > 1, Vi is obtained from Vi-i by one single application of either the 
Ext or Link inference rule. 

A derivation which contains (and thus ends in) a closed tableau is also called a 
(hyper tableau) refutation. 

While completeness will be discussed separately below, we can comment on 
soundness here. In brief, the hyper tableau calculus is sound, because, first, the 
Link rule generates only instances of input clauses, hence logical consequences 
thereof. Second, in order to see that a closed hyper tableau V implies that the 
input clause set is unsatisfiable, think of replacing every variable in V by some 
constant (the same for every variable). Since variants of atoms become equal 
then, every branch contains a pair of complementary literals. Using the usual 
soundness result for tableau calculi we can conclude that the set of ground 
instances contained in the tableau is unsatisfiable. Since these all are instances 
of input clauses, the input clause set must be unsatisfiable itself. 

As in resolution calculi, the calculus inference rules can be applied in a don’t- 
care nondeterministic way, as long as no possible application of an inference rule 
is deferred infinitely long. In other words, a concept of fairness is needed. 

Definition 5 (I-Paths, Finishedness, Fairness). LeVD= (pi,Vi), . . . , 
{Pn,Vn), ■ ■ . be a derivation which is not a refutation, where pi is the selected 
branch in (pi,Vi) in the i-th hyper tableau. Any possibly infinite sequence 

P = {pi= No), (No • iVi), . . . , (iVo • iVi • . . . • Nj), . . . 

'■ V ' ' V ^ ' V " 

= :qo =.qi ='.qj 
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such that qj = Ps, for some selected branch ps^ in T> is called an i-path (of the 
derivation). An i-path P is finished iff for every of its elements the following two 
conditions hold: 

1. If ^ ... then (A ^ B)a € C^iqm) modulo vari- 

qjoiiA^B)a),Vj 

ants and disregarding selection for some selected branch qm in P. 

2. If B then for every clause C G (C“)' there is 

(<ijAc-Y),rj 

a selected branch qm in P with C € C~(qm) modulo variants and disregarding 
selection. The relation “C € C modulo variants” is defined as “D ~ C for 
some D € C”. 

Derivation D is fair iff V is a refutation or some i-path of V is finished. 

That is, by an i-path we trace the stepwise extension of some branch in D. 
This need not necessarily be the sequence of selected branches in the derivation, 
as any derivation is free to temporarily shift the focus away from a branch and 
return to it later, or subtrees might be closed. For example, the selected branches 
of the derivation in Figure 2 from left to right are [], [p{x,y)], [p{x,y),p{x,a)], 
[p{x,y),q{x,a)], and (the only) i-path, which is also finished, is 

P=[], [p{x,y)], [p{x,y),q{x,a)] . 

Note 6 (Concrete Fair Strategy). 

The finishedness conditions can easily be achieved by actually carrying out the 
inferences in the if-part eventually. One possible overall fair strategy consists of 
setting some resource bound, e.g. “maximal term depth”, followed by alternate 
exhaustation in the following way: first exhaust on given selected branch p all 
Link inferences (it is straightforward to show that there are only finitely many of 
those, even without resource bound when function symbols are present). Then 
(finitely) exhaust all Ext inferences within the resource bound. If no refutation 
was found, then increase the resource bound by some value and continue on the 
exhausted branch. 

5 Model Construction and Improvements 

In this section we consider additional refinements which will allow to considerably 
restrict the application of the Link and Ext inference rules. These restrictions are 
based on semantical concepts which will be introduced next. 

Definition 7 (Productive Clauses). Let C be a program clause with selec- 
tion, and let Cq be a possibly infinite set of clauses with selection of instances of 
C and letCf. be a set of clauses without selection of instances of C . We say that 
C produces"^ ground atom A wrt. {C(),Cq), iff there is a ground substitution 7 
for C such that 

This notion is borrowed from [BG94] and has a similar meaning for ordered resolu- 
tion. 
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1. A = sel(C) 7 , and 

2. there is no D G Cq with C > D and D > C 7 and sel(_D) > A, and 

3. there is no D G Cq with C > D and D > C 7 . 

Let p,V be a hyper tableau for C with selected branch p. Let C G C. Define 

C+{p) = {DGC+{p)\C>D} and C^ip) = {D G C~ (p) \ C > D} . 

We say that C produces ground atom A wrtp iffC produces A wrt (C^(p),C^(p)). 

The intention of “producing clauses” is this: for given A we see if there is an 
instance of C in the given “positive” set Cq such that sel(C') can be instantiated 
to A. Condition 2 expresses that there is no more specific clause which achieves 
this. If condition 3 does not hold then there is a proper instance of C in the 
negative set Cq which “cancels” C. 

For example, if C = p{x,y), r{y,z) ^ q{x) and Cq = {{p{x,x), r{x,z) G- 
g(x))} and Cq = 9 then C produces p{a,b), but C does not produces p{a,a) 
(neither does the clause in Cq produce p{a, a)). Now, if Cq = {{p{x, c), r(c, z) G- 
q{x))} instead, then C still produces p{a, b) but no longer produces p(a, c). This 
is because the clause in Cq “cancels” any appropriate ground substitution for 
C. 

In order to take advantage of the just defined concepts (and to prove com- 
pleteness below) we have to slightly generalise to i-paths: 

Definition 8 (Semantics of i-paths). Let D be a derivation from C and let 
P = qo, . . . ,qj, . . . be an i-path of V. For any C G C define 

C+{P) = {DgC+{P)\C>D} , where C+{P) = U,>oC+( 9 ,) , 

Cq{P) = {DgC-{P)\C>D}, where C-{P) = [j.^^C-{q,) . 

We say that C produces ground atom A wrt P iff C produces A wrt {C^{P),Cf.(P)) . 
We assign an interpretation I{P) to P as follows: 

F{P) = {A \ C produces A wrt P for some C G C^{P) 

That is, an atom A is true in this model construction iff it is produced by some 
clause coming up eventually as tableau clause in the derivation; the head literal 
producing A is determined by the open branch passing through it. In other 
words, only atoms can be true which are instances of atoms on the branch (this 
is “typical” for tableau model constructions), but the converse does not hold. 

Note that the definition also gives the construction of an interpretation for 
given branch p, by taking the finite prefix ending in p of any i-path P which 
contains p. 

For instance, in Figure 1, the selected branch in C renders all instances of 
p{x,y) as true, and the interpretation associated to the selected branch in C 
in Figure 2 assigns true to p{a, b), because p{a, b) is an instance of the selected 
literal in p{x,y) V q{x,y); q{a,b) is not an instance of the selected literal in 
p{x, a) V q(x, a) and is false. Similarly, q(a, a) is true, but p(a, a) is false. 
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A special case is propositional logic: whenever ground atom A is on a branch 
p, the clause C it stems from produces A wrt. p or any extension of p, because 
there are no strict instance of C which could prevent C from producing A. Hence, 
any Ext steps with a clause with head containing A are redundant and thus need 
not be carried out below p. 

Note 9 (Chain Property and Compactness). Notice that as a property of the 
inference rules this chain property holds: 

C+{qo) C C+{qi) C . . . C C+{qj) C • • • and 
C-(go)CC”(gi)C...CC-(g,)C... 

It is straightforward to show a compactness property, namely that C C C^{P) for 
finite C iff C C C^{qj) for some qj (and, of course, the same holds for C C C~{P)). 
We will use this property in the completeness proof below. 



Definition 10 (Redundant Inferences, Restricted Fairness). Let V be a 

derivation with i-path P. 

An application of the Ext inference rule (cf. Def. 3) is redundant (in P) iff 
X{P) h (^ ^ B)a. 

An application of the Link inference rule is redundant (in P) iff (a) some 
clause from {Ci, . . . ,C'„} does not produce any ground instance of Ba wrt. P, 
or (b) I{P) (A ^ B)(t. In both cases non-redundant means “not redundant”. 

We define the notion finished i-path wrt. non-redundant inferences to be the 
same as finished i-path (cf. Def. 5) except that the qualification “or the inference 
is redundant in P” is added to the then-part in both conditions. A derivation D 
is fair wrt. non-redundant inferences iff D is a refutation or some i-path ofD is 
finished wrt. non-redundant inferences. 



In practice these restrictions can be approximated by not carrying out an infe- 
rence which is redundant in the current selected branch. This is possible because 
if an inference is redundant in all branches pj,pj^i, . . . starting from some j, then 
it is also redundant in P. 

For instance, the Ext step leading to tableau C in Figure 1 is redundant 

13 



because (T) is true in the interpretation associated to the selected branch in 
(since all instances of p{x, y) are true. If in Example 2 we assume the additional 



input clause r(a) <— p(a, a) then a Link step with this clause in the tableau |_C 
is redundant, because the tableau clause p{x,y), q{x,y) ^ used for that step 
does not produce p{a, a). 



6 Completeness 

In this section we will prove the completeness of the improved version. 

In the sequel let T> = (pi,Pi), . . . , {Pm'Pn), • ■ • be a fair derivation from C 
which is not a refutation, and let P = q^, . . . ,qj, . . . be a finished i-path of D. 
Recall that according to Definition 5, for g > 0 we have qj = Ps^ for some 
selected branch pg. in D. 




Hyper Tableau — The Next Generation 



71 



Lemma 11 (Finite Production Property). If A G I{P) then for some j 
there is a clause C G C'^{qj) such that C produces A wrt. qu for every k > j 

The relevance of this lemma is the property that every member A of I{P) will 
be produced by some C after finitely many steps (of course) and that C remains 
productive for C afterwards. In other words, A will be true at some point and 
remain true afterwards. We will need this for completeness below. 

Proof. Let A G P{P) be given. By Def. 8, there is a C G C+(P) such that C 
produces A wrt. P, i.e. C produces A wrt. {Cq{P),Cq{P)) . By Def. 7, there is 
a ground substitution 7 for C such that 

1. A = sel(C)7, and 

2. there is no I? G Cq{P) with C > D and D > C7 and sel(D) > A, and 

3. there is no D G Cq{P) with C > D and D P Cj. 

In order to have C G C+(P) it must be that C G C+(gj) for some j. 

To the contrary of the assumption that C produces A wrt. qt for every 
k > j, suppose that (case I) for some k > j there is D G C^{qk) with C > D 
and D P C7 and sel(I?) > A. But since also trivially D G C^{P) we immediately 
arrive at a contradiction to item 2. 

Case 2, that for some k > j there is a I? G Cff{qk) with C > D and D P C7 
is similar: since trivially D G Cq{P) we immediately arrive at a contradiction to 
item 3. 

Consequently, C produces A wrt. qk for every k > j. □ 

Theorem 12 (Model Existence of Open Hyper Tableaux). Let V be a 

hyper tableau derivation from clause set C which is fair wrt. non-redundant in- 
ferences. IfT> is not a refutation then C is satisfiable. More specifically, there is 
at least one finished i-path P of T>, and I{P) (= C for every finished i-path P of 
V. 

Notice that this theorem immediately gives refutational completeness by taking 
the contrapositive. 

Proof. Suppose that T> is not a refutation. The existence of i-path P as claimed 
follows trivially from fairness. The non-trivial part is the model construction. 

We need the following well-foundedness property: there is no infinite chain 
(C = Cl) > C2 > . . . > C„ > . . . of instances of clause C such that every 
Ci ^ C7 for given ground instance C7. This is, because every Ci is a proper 
instance of Ci_i, and any infinite instantiation of C will necessarily result in a 
clause Cj with higher term depth than C7, and hence Cj P C7 would not hold. 

Hence for given (possibly infinitely many) Cfs and C7 we can always find 
some Cj P C7 such that there is no Ck with Cj > Ck ^ Cj. Let us refer to this 
situation by “Cj is the most specific generalisation of C7 (wrt. the given C^’s)”. 

Assume, to the contrary of the claim, that I{P) ^ C. Then, there is a ground 
instance {A ^ B)'f of a clause C = (A ^ yB) G C such that B7 C I{P) and 
A7 m = 0. There is a most specific generalisation of C7 in C~{P) wrt. C~{P). 
Without loss of generality let C itself be this clause. 
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Write B as the multiset B = {Bi, . . . , Bn}. By Lemma 11 for every Bij 
there is a ji and a clause Ci G C^iqji) such that Ci produces i?i7 wrt. qk for 
every k > ji. By taking m = max{ji, . . . , j„} we conclude that Ci produces 
Bij wrt. qi, for every I > m. Further, by the chain property (Note 9 ) we have 
C^ G C+{qm). 

By definition of productivity, there are ground substitutions 71 , . . . , 7„ such 
that sel(Ci)7i = Bi'j. Without loss of generality we can assume that the Cjs are 
pairwise variable disjoint and also disjoint from A B (we can always find such 
variants and modify the 7i’s). But then it holds (possible after restricting the 
domains of the 7i’s to Bi) that 561(^)71 • • • 7„7 = Bi-fi ■ ■ ■ 7„7. Then there is also 
a most general multiset unifier Ba = {sel(C'i), . . . ,sel(C'„)}(7 and a substitution 
6 such that sel(Ci)cr (5 = sel(Ci)7i = Bij = BiaS. 

Case 1 . If for some i, I < i < n, Cicr ^ Ci (*), then all the conditions to apply 
a Link step to qm in the following way hold (for some V): 

{qm,C~),V A-i^B 
{qm,C~ U {CiCT, . . . , C„cr}), V 

Since {A ^ B)^ is false in T{P), it follows that T{P) ^ ( 7 l ^ B)a. Furthermore, 
as shown, every Ci produces some ground instance of Bi, namely Hence, this 
inference is not redundant. Thus, since T> is fair wrt. non-redundant inferences, 
every element from C~ U {Cicr, . . . , Cn<j} will be contained in C~ (P) eventually 
(either nothing has to be added, or by carrying out this Link step or any other 
Link step which add the Cia’s). In particular, that Cia with Cia / Ci must 
be generated eventually, say Cia G C~{qg) modulo variants and disregarding 
selection for some selected branch qg. 

Notice that from CiO 7^ Ci it follows Ci > Cia. Now, if 5 < to then also 
Cia G C~{qm), which contradicts the fact that Ci produces Bij wrt. qm (by 
virtue of Cia, cf. Def. 7 ). 

If 5 > TO then recall that Ci was shown above to produce wrt. qi, for 
every I > to. But then Ci must produce H^y wrt. qg as well; again, this is 
impossible due to the existence of Cia G C~{qg). 

Hence, in both cases we get a contradiction, which renders case ( 1 ) impossible. 

Case 2 . (Complement to case 1 ). For every i, 1 < i < n, Cia ~ Ci (*), then all 
the conditions to apply a Ext step to qm in the following way hold (for some V): 

(<7m,C ), V A-<^ B 

Ext 

q-m o ((^ ^ B)a), V 

Since {A <— B)j is false in T{P), it follows that T{P) ^ (7l ^ B)a. Hence, this 
inference is not redundant. Thus, since T> is fair wrt. non-redundant inferences, 
{A ^ B)a G C+(<7g) modulo variants and disregarding selection for some selected 
branch qg (this can be achieved by carrying out this Ext step or any other Ext 
step which adds a variant of {A ^ B)a). Hence (A <— B)a G C+(P). 

Notice that ^ = 0 is impossible because then qg would be closed, contradic- 
ting the fact that qg is contained in the considered i-path P. 
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By the well-foundedness property above we can find a most specific generali- 
sation C" € C'^(P) of Cj wrt. C~^(P) (disregarding selection). This C" can either 
be Ccr itself or some (later or previously) added instance of Ca. 

Now the case that C' produces some literal from Aj wrt. C+(P) is impossible, 
because then Cj would be true in X(P). 

Hence (cf. Def. 7) for the ground instance C'Y of C with C'Y = C'b there 
must be some D' G C~{P) with C' > D’ and D' > C'Y (the other case, item 
2 in Def. 7 is impossible because C is a most specific generalisation of Cy wrt. 
C+(F)). 

But now from CYCaYC'>D'Y C'Y = C'y we have a contradiction to 
the assumption that C is a most specific generalisation of Cy (because D' is). 
Hence X{P) ^ Cy and the claim follows. □ 

Corollary 13 (Decision Procedure for Bernays-Schonfinkel Class). The 

hyper tableau calculus (both versions) is a decision procedure for the Bernays- 
Schonfinkel class, i.e. for formulas of the form3*V* Q where Q is some quantifier- 
free formula. 

Proof. The clausal form of the formula contains no function symbols, but no 
other restrictions on the syntactic structure apply. It suffices to show that any 
fair derivation will neccessarily end after finitely many steps. The reason for this 
is simple: whenever Link adds a clause C to the current set C~{p), C must be 
a strict instance of some clause in C~{p). Clearly, in the absence of function 
symbols this cannot be done infinitely often. Further, application of the Ext rule 
is also finitely bounded, because extension is never carried out if a variant of the 
clause to be extended with is a tableau clause already. □ 

This property is remarkable, as there seems to be no resolution or free variable 
tableau variant developed until now which achieves this (at least without taking 
bounds on the maximal length of clauses into consideration, which depends on 
the number of constants of the clause set). No resolution variant in [Joy76] or 
in Leitsch’s recent book [Lei97] accomplishes this. For instance, hyper resolu- 
tion will loop on the clause set Ci in Example 1 because all resolvents of the 
form p{xi,X 2 ) V p{x 2 , x^) V ... V p(a;„_i, x„) V p{xn, Xi) will be generated, and 
subsumption is not powerful enough to prevent this. 

Other calculi which decide this class are Billon’s disconnection calculus [Bil96] 
or the hyper linking family of calculi [LP92]. This demonstrates that the hyper 
tableau and related calculi are very different from resolution calculi. 

7 Conclusions 

Related work. First of all, the hyper tableau calculus in [BFN96] can be seen as 
a predecessor of the calculus here. While the calculus in [BFN96] has to guess 
ground instantiation for variables occuring in clause heads in different literals, 
such as X in p{x,y), q{x) -fr- , the present version avoids this by a unification- 
based approach. This is the central contribution of the present paper. 
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In [Kiih97] a variant of a hyper tableau calculus is described which treats 
the problematic variables (such as x) “rigidly”. This calculus can be seen as an 
alternative to the method proposed here. Unfortunately, completeness is still an 
open problem. 

Hyper tableau is different from hyper resolution [Rob65] in several aspects. 
Most importantly, hyper tableaux are analytical, i.e. no new clauses are added 
(short of instances) . By this we achieve that hyper tableau is a decision procedure 
for the function-free case (cf. Corollary 13). Further, the generation of clause 
instances is branch-local (cf. Section 3), whereas the clauses in resolution are 
stored globally. 

Another related calculus is analytic resolution [Bra76]. It can be setup to act 
similar to hyper resolution, but with the important difference that no clauses are 
merged when building resolvents; instead, the electron clauses and the resolvents 
would all be kept separately but obeying variable dependencies in a stack-like 
manner®. Analytic resolution then essentially handles positive disjunctions which 
are augmented by a list of conditions which are also positive disjunctions. An 
important difference of analytic resolution (in fact, all variants of resolution) 
to hyper tableau is that in resolution literals count as contradictory if they are 
complementary, whereas in hyper tableau literals count as contradictory if they 
are variants (with opposite sign). This is an essential difference, as it is needed 
to achieve that hyper tableau decide the Bernays-Schonfinkel class. 

As indicated in Note 6, the fairness condition for hyper tableau can be im- 
plemented easily. This distinguishes hyper tableau from all implementations of 
free- variable tableau calculi developed so far®. Since free- variable tableaux are 
proof confluent, there is in principle a way to implement them without retracting 
a once derived tableau and without backtracking on a once applied substitution 
(provers like HARP [OS88] which use the y-rule to substitute variables by gro- 
und terms do not count). However, no implementation takes advantage of this 
property (e.g. [BP95,BHOS96]). 

The work most closely related to hyper tableau probably is the disconnec- 
tion method (DCM) [Bil96]. Hyper tableau shares with the DCM the property 
of generating instances of clauses (this also holds for hyper- linking [LP92], but 
which does not employ the concept of a “path” ) . However, the closure condition 
is different. In DCM, p{x,y) and ->p{u,u) constitute a link, because they are 
complementary when all variables are replace by the same constant; in hyper 
tableau a closure condition based on variants is used. In hyper tableau, clause 
instances are generated branch-local, whereas they are global in DCM. Impor- 
tantly, as stated in [Bil96], DCM is not compatible to hyper-type of inferences. 
Hyper tableau can thus be seen as a way to bring in the hyper-type inferences to 
a DCM like calculi. As in resolution, hyper-type inferences restrict the possible 
inferences. For instance, if p{a,a) and p{b,b) both are on the current branch, 
then no inference with ^ p{x, a), p(x, b) is possible because the body cannot be 

® It would be an interesting exercise to recast the very procedural formulation of 
analytic resolution in an analytic tableau framework. 

® To my knowledge, admittedly. 
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solved simultaneously. However an inference in DCM is possible. Furthermore, 
DCM does not take advantage of a redundancy criterion as hyper tableau does. 
For instance, with p(x,y), q{x) as single tableau clause and p{y,x) <— p{x,y) as 
input clause, Ext is not applicable because p{y, x) is true in the model given by 
p{x,y), whereas DCM would have to build the connection. 

Future work. The hyper tableau calculus of [BFN96] takes advantage of branch- 
local variables by treating them universally quantified. This technique should 
be made available to the current version of hyper tableau as well, and it would 
generalise the unit-clause improvements of DCM. 

“Cutting out” clauses from a closed subtree which do not affect the closed- 
property of the subtree (introduced as condensing in [OS88]) is an important 
technique in the hyper tablaux of [BFN96]. For efficiency reasons I expect it to 
be mandatory here as well. 

Alternatives for the model construction should be investigated to achieve a 
higher degree of redundant inferences. For instance, it seems possible in the mo- 
del construction to forget the clause bodies and look at the heads only. Another 
way to achieve this is to alter the calculus and to combine it with ideas from 
analytic resolution [Bra76]; the combined calculus would essentially handle con- 
ditional positive disjunctions as in analytic resolution (see above) but keep the 
branch closure condition of hyper tableau. This calculus would be an even more 
natural generalization of hyper tableau (previous generation) for the Horn case. 

Acknowledgements. Many thanks to Reiner Hahnle for numerous valuable com- 
ments. 



References 



[AB97] 

[BFFN97] 

[BFN96] 

[BG94] 

[BHOS96] 



Chandrabose Aravindan and Peter Baumgartner. A Rational and Effi- 
cient Algorithm for View Deletion in Databases. In Jan Maluszynski, 
editor, Logic Programming - Proceedings of the 1997 International Sym- 
posium, Port Jefferson, New York, 1997. The MIT Press. 

Peter Baumgartner, Peter Frohlich, Ulrich Furbach, and Wolfgang Nejdl. 
Semantically Guided Theorem Proving for Diagnosis Applications. In 
15th International Joint Conference on Artificial Intelligence (IJCAI 97), 
pages 460-465, Nagoya, 1997. International Joint Conference on Artificial 
Intelligence. 

Peter Baumgartner, Ulrich Furbach, and Ilkka Niemela. Hyper Tableaux. 
In Proc. JELIA 96, number 1126 in Lecture Notes in Aritihcial Intelli- 
gence. European Workshop on Logic in AI, Springer, 1996. 

Leo Bachmair and Harald Ganzinger. Rewrite-based equational theorem 
proving with selection and simplification. Journal of Logic and Compu- 
tation, 4(3):217-247, 1994. 

Bernhard Beckert, Reiner Hahnle, Peter Oel, and Martin Sulzmann. The 
tableau-based theorem prover fpAp, version 4.0. In Proceedings, 13th In- 
ternational Conferenee on Automated Deduetion ( CADE), New Bruns- 
wick, NJ, USA, volume 1104 of Lecture Notes in Computer Science, pages 
303-307. Springer, 1996. 




76 



P. Baumgartner 



[Bil96] 

[BP95] 

[Bra76] 

[CL73] 

[FH91] 

[Fit90] 

[Joy76] 

[KH94] 

[Kiih97] 

[Lei97] 

[LMG94] 

[LP92] 

[LRW95] 

[MB88] 



[MMM096] 

[Nie96] 

[OS88] 

[Rob65] 



Jean-Paul Billon. The Disconnection Method. In Miglioli et al. 
[MMM096]. 

Bernhard Beckert and Joachim Posegga. Lean tableau-based 

deduction. Journal of Automated Reasoning, 15(3):339-358, 1995. 

D. Brand. Analytic Resolution in Theorem Proving. Artificial Intelli- 
gence, 7:285-318, 1976. 

C. Chang and R. Lee. Symbolic Logic and Mechanical Theorem Proving. 
Academic Press, 1973. 

H. Fujita and R. Hasegawa. A Model Generation Theorem Prover in KLl 
using a Ramified-Stack Algorithm. In Proc. of the Eigth International 
Conference on Logie Programming, pages 535-548, Paris, France, 1991. 
M. Fitting. First Order Logic and Automated Theorem Proving. Texts 
and Monographs in Computer Science. Springer, 1990. 

W.H. Joyner. Resolution Strategies as Decision Procedures. Journal of 
the ACM, 23(3):396-417, 1976. 

Stefan Klingenbeck and Reiner Hahnle. Semantic tableaux with ordering 
restrictions. In A. Bundy, editor, Proc. CADE-12, volume 814 of LNAI, 
pages 708-722. Springer, 1994. 

Michael Kirhn. Rigid Hypertableaux. In Proc. of KI ’97, Lecture Notes 
in Aritificial Intelligence. Springer, 1997. 

Alexander Leitsch. The Resolution Caleulus. Springer, 1997. 

R. Letz, K. Mayr, and C. Goller. Controlled Integrations of the Cut Rule 
into Connection Tableau Calculi. Journal of Automated Reasoning, 13, 
1994. 

S. -J. Lee and D. Plaisted. Eliminating Duplicates with the Hyper- Linking 
Strategy. Journal of Automated Reasoning, 9:25-42, 1992. 

D. Loveland, D. Reed, and D. Wilson. SATCHMORE: SATCHMO with 
RElevance. Journal of Automated Reasoning, 14:325-351, 1995. 

Rainer Manthey and Frangois Bry. SATCHMO: a theorem prover imple- 
mented in Prolog. In Ewing Lusk and Ross Overbeek, editors. Proceedings 
of the 9*^ Conference on Automated Deduction, Argonne, Illinois, May 
1988, volume 310 of Lecture Notes in Computer Science, pages 415-434. 
Springer, 1988. 

P. Miglioli, U. Moscato, D. Mundici, and M. Ornaghi, editors. Theorem 
Proving with Analytic Tableaux and Related Methods, number 1071 in 
Lecture Notes in Artificial Intelligence. Springer, 1996. 

Ilkka Niemela. A Tableau Calculus for Minimal Model Reasoning. In 
Miglioli et al. [MMM096]. 

F. Oppacher and E. Suen. HARP: A Tableau-Based Theorem Prover. 
Journal of Automated Reasoning, 4:69-100, 1988. 

J. A. Robinson. Automated deduction with hyper-resolution. Internal. 
J. Comput. Math., 1:227-234, 1965. 




Fibring Semantic Tableaux 



Bernhard Beckert^’* and Dov Gabbay^ 



^ University of Karlsruhe, Institute for Logic, Complexity and Deduction Systems, 
D-76128 Karlsruhe, Germany. E-mail: beckert@ira.uka.de 
^ Imperial College, Department of Computing, 180 Queen’s Gate, 

London SW7 2BZ, UK. E-mail: dg@ic.ac.uk 



Abstract. The methodology of fibring is a successful framework for 
combining logical systems based on combining their semantics. In this 
paper, we extend the fibring approach to calculi for logical systems: we 
describe how to uniformly construct a sound and complete tableau cal- 
culus for the combined logic from calculi for the component logics. 

We consider semantic tableau calculi that satisfy certain conditions and 
are therefore known to be “well-behaved” — such that fibring is possible. 
The identification and formulation of conditions that are neither too 
weak nor too strong is a main contribution of this paper. 

As an example, we fibre tableau calculi for first order predicate logic and 
for the modal logic K. 



1 Introduction 

The methodology of fibring is a successful framework for combining logical sys- 
tems based on combining their semantics [7,6,8]. The basic idea is to combine 
the structures dehning the semantics of two logics Li and L2 such that the result 
can be used to define semantics for expressions from the combined languages of 
Li and L2. The general assumption is that these structures have components 
like, for example, the worlds in Kripke structures; to build fibred structures, 
fibring functions i^(i,2) are dehned assigning to each constituent w of an Li- 
model mi an L2-model m2. An L2-expression is evaluated in w, where its value 
is undefined, by instead evaluating it in m2 = T(i 2)(rc). The full power of the 
fibring method is revealed when this process it iterated to define a semantics for 
the logic L[i 2], where the operators of the component logics can occur arbitrarily 
nested in formulae. Fibring has been successfully used in many areas of logic to 
combine systems and define their semantics; for an overview see [7]. 

In this paper, we extend the hbring approach to calculi for logical systems: we 
describe how to uniformly construct a sound and complete tableau calculus for 
the combined logic from calculi for the component logics. Since tableau calculi 
are known for most “basic” logics [5] (including classical logic, modal logic, 
intuitionistic logic, and temporal logic) , calculi can be obtained for all “complex” 
logics that can be constructed by hbring basic logics, such as modal predicate 
logic, intuitionistic temporal logic, etc. 

* This work was carried out during a visit at Imperial College, London, UK. 

H. de Swart (Ed.): TABLEAUX’98, LNAI 1397, pp. 77-92, 1998. 
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One cannot fibre just any proof procedures for two logics in a uniform way. 
First, “proving” can have different meanings in different logics: deciding (or semi- 
deciding) satisfiability or validity, computing a satisfying variable instantiation, 
etc. Second, it is not clear where to “plug in” the proof procedure for L 2 into 
that for Li; a proof procedure may do something completely different from 
what (the dehnition of) the valuation function does that provides the truth 
value of a formula in a given model. For example, if the procedure P\ is based 
on constructing a (counter) model, whereas the procedure P 2 uses a resolution 
calculus, they cannot be hbred (at least not uniformly). 

Therefore, we consider semantic tableau calculi that satisfy certain condi- 
tions and are, thus, known to be “well-behaved” — such that fibring is possible 
(for some substructural logics, e.g. linear logic, no such “well-behaved” calculi 
exist). The identification and formulation of conditions that are neither too weak 
nor too strong is a main contribution of this paper. 

If the components that are fibred satisfy these conditions, then the resulting 
calculus is automatically sound and complete. It may only be a semi-decision 
procedure, i.e., only terminate for unsatisfiable input formulae, even if its com- 
ponents are decision procedures; this, however, is not surprising because a fibred 
logic may be undecidable even if its components are decidable. 

Related work includes [4], where a method for fibring tableau calculi for 
substructural implication logics has been presented. In [9], a method is described 
for fibring tableaux for modal logics to construct calculi for multi-modal logics; 
it can be seen as an instance of the general framework presented here. 

We define the notion of a logical system in a very general way (Section 2); only 
indispensable properties of its syntax and semantics are part of the definition 
without which a useful tableau calculus for the logic cannot exist (or cannot be 
fibred with calculi for other logical systems). 

Similarly, as few restrictions as possible are made regarding the type and form 
of tableau calculi. In particular, the calculus does not have to be analytical; and 
the tableau rules do not have to be given in form of rule schemata but can be 
described in an arbitrary way. The conditions that tableau calculi have to satisfy 
to be suitable for fibring are described in Section 3. We present two examples of 
calculi suitable for hbring in Sections 4 and 5: a calculus for first order predicate 
logic and a calculus for the modal logic K. In Section 6, the method of hbring 
logics is described in general and syntax and semantics of a hbred logic are 
dehned, based on syntax and semantics of its component logics. 

In Section 7, we present our uniform method for constructing a tableau calcu- 
lus for a hbred logic from calculi for the component logics. The resulting calculus 
is shown to be sound and complete w.r.t. the semantics of the hbred logic and 
to be itself suitable for hbring with other calculi. The latter property makes it 
possible to iterate the hbring of tableau calculi and, thus, to construct a calculus 
for the fully hbred logic L[i^ 2 ]- 

As an example, in Section 8, the calculi for hrst-order and for modal logic in- 
troduced in Sections 4 and 5 are hbred resulting in a calculus for modal predicate 
logic. 
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Finally, in Section 9 we draw conclusions from our work. Due to space re- 
strictions, all proofs are omitted; they can be found in [2]. 

2 Logical Systems 

In this section, we define the notion of a logical system in a very general way; only 
indispensable properties of its syntax and semantics are part of the definition 
without which a useful tableau calculus for the logic cannot exist (or cannot be 
fibred with calculi for other logical systems). 

The logic has to have a model semantics that uses Kripke-style models, i.e., 
models consisting of worlds in which formulae are true or false; there are no 
restrictions on the relationship between these worlds. In fact, any kind of model 
can be considered to be a Kripke-style model with a single world (namely the 
model itself), including models of classical propositional and first-order logic. 
However, since the labels of tableau formulae are interpreted as worlds, if there 
is only one world in the models of a logic, then the interpretation of all labels is 
the same and they become useless for the calculus. 

The restriction that only two-valued logics are considered is solely made 
for the sake of simplicity. All notions introduced in the following can easily be 
extended to many- valued logics (but no additional insight is gained). 

Definition 1. Associated with a logical system L (a logic for short) is a set 
Sig of signatures^ o/L. For each signature E G Sig, syntax and semantics of 
the instance o/L are given by: 

Syntax: A set Form^ of formulae and a set Atom^ C Form^ of atomic for- 
mulae (atoms), where the sets Atom^ and Form^ are decidable. 

Semantics: A set of models where each model m G (at least) contains 
(a) a set W of worlds, (b) an initial world G W, and (c) a binary relation 
^ between W and Form^ . 

If w \= 4> for some world w G W and some formula 4> G Forrrf , then 4> is 
said to be true in w, else it is false in w. A formula (j) G FormP is satisfied by 
a model m G if (and only if) it is true in the initial world uP of rxi. A set 
G C Form^ of formulae is satisfied by m iff all its elements are satisfied by m. 
A formula (f G Form^ (a set G C Form^ of formulae ) is satisfiable if there is 
a model m G At satisfying <j) (resp. G). 

Although usually non-atomic formulae are constructed from atomic formulae, 
and their truth value is determined by the truth value of the atoms they consist 
of, this is not part of the above definition. However, the existence of a tableau 
calculus for a logic L that is suitable for fibring implies that the truth value of a 
formula </> is strongly related to the truth values of certain atoms (that may or 
may not be sub- formulae of />). 

^ We do not further specify what a signature is; Sig can be seen as a set of indices for 
distinguishing different instances of L (which usually differ in the symbols they use). 
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Tableau calculi allow to check the satisfiability of a formula; we only consider 
this property. It may or may not be possible in a certain logic to check whether 
a formula is valid in some model (true in all worlds) or is a tautology (valid in all 
models) by reducing this problem to a satisfiability problem; in many logics — 
though not in all — a formula is a tautology if its negation is not satisfiable. 

Often, formulae are used in tableau calculi that are not part of the original 
but of an extended signature (e.g., formulae containing Skolem symbols): 

Definition 2. Given a logic L, a signature E* G Sig is an extension of a sig- 
nature E G Sig ( and E G Sig is a restriction of E* G Sig ) if Form^ C Form^ 
and Atom^ C Atom^ . 

In that case, a model m G is a restriction of a model m* G (to 

the signature E) if there is a function f that assigns to each world ofma world 
o/m* such that: (a) the initial world o/m* is assigned to the initial world o/m; 
and (b) for all formulae (f> G Forrn^ and worlds w of m: w\=f iff f{w) h f- 

3 Tableau Calculi and the Conditions they Must Satisfy 

As said above, only few restrictions are made regarding the type and form of 
tableau calculi. Any function that assigns to a tableau branch its (possible) 
extensions is regarded a tableau rule. Nevertheless, certain conditions have to be 
met, the first of which ensures that tableau rule applications do not transform 
the whole tableau in an arbitrary way: 

Condition 1. Tableau rule applications have only local effects, in that they 
extend a single branch of a tableau, and do not alter or remove formulae already 
on the tableau. 

The second assumption is that the applicability of a tableau rule to a branch 
and the result of its application are solely determined by the presence of certain 
formulae on the branch to which it is applied; no other pre-conditions are allowed 
such as, for example, the absence of certain formulae, the presence of formulae 
on different branches, or the order of formulae on a branch: 

Condition 2. Whether a tableau branch B can be expanded in a certain way 
is solely determined by the presence of certain formulae on B (the premiss for 
that expansion). 

Condition 2 implies that tableau branches are regarded as sets and that tableau 
rules are monotonic; thus, when formulae are added to the branch, previous 
tableau rule applications are not invalidated. 

Conditions 1 and 2 intuitively prohibit “strange” behaviour of calculi. There 
are, however, useful calculi that violate these syntactical restrictions, including 
(a) calculi where variable substitutions are applied to the whole tableau, (b) cal- 
culi with resource restrictions that are not local to a branch (for example linear 
logic, where a formula can be “used up” globally), and (c) calculi using expan- 
sion rules that introduce new symbols, i.e., symbols that must not occur on the 
branch or even the whole tableau. At least the latter type of rules can often be 
replaced by similar rules satisfying Condition 2: 
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Example 1. In calculi for first-order predicate logic, often a tableau rule is used 
that allows to derive (f){c) from formulae of the form (3x)(0(a;)), where c is 
a constant new to the tableau (or the branch); this rule violates Condition 2 
because it demands the absence of formulae containing c. 

If instead a special constant symbol is used, which does not have to be 
new, then the rule satisfies Condition 2 above. Soundness is preserved provided 
that C 0 is not introduced into the tableau in any other way than by skolemising 
(3a;)((/)(a;)); in particular, the Skolem constant q, must not occur in the initial 
tableau (this is an adaptation of the rule for existential formulae presented in [3] 
to the ground case [ 1 ]). 

As said before, we allow formulae from an extended signature E* to be used 
in a tableau proof: Only the tableau formulae that are tested for satisfiability 
have to be taken from the non-extended signature E; they are put on the inital 
tableau. During the proof it is allowed, for example, to introduce Skolem symbols 
that are not elements of E. We proceed to formally define our (syntactical) 
notions of tableaux and tableau calculi: 

Definition 3. Given a logic L, a signature E G Sig, and a set Lab of labels, a 
tableau formula a:S(j) consists of a label a G Lab, a truth value sign S G {T, F}, 
and a formula 4> G Form^ ; it is called atomic if 4> G Atom^ . The set of all 
tableau formulae is denoted with Tab For m^ . A tableau is a finitely branching 
tree whose nodes are labelled with tableau formulae. A branch of a tableau T is a 
maximal path in T. The set of formulae on a branch B is denoted with Form{B). 

A tableau calculus C for a logic L has (different) “instances” for each 
signature E G Sig: 

Definition 4. A tableau calculus C for a logic L is, for each signature E G Sig, 
specified by: (a) an extension E* G Sig of the signature E; (b) a set Lab of labels 
and an initial label G Lab; (c) a tableau (expansion and closure) rule TZ^ , 
i.e., a function that assigns to each finite set LI C TabForrrP of tableau for- 
mulae (each premiss) — and thus to each tableau branch B with 77 C Form{B) — 
a set TZ^{II) of (possible) conclusions, where a conclusion is a finite set of 
branch extensions or the symbol _L (branch closure), and a branch extension 
is a finite set of tableau formulae from TabForm^ . The rule TZ^ must satisfy 
the following conditions: (i) TZ^ {LI) may be infinite but has to be enumerable; 
(ii) 1Z^{LI) C 1Z^{LI \J FT) for all II, FT C TabForm^ (monotonicity). 

In practice, tableau rules are often described by means of rule schemata. This 
fits perfectly in our framework, with the exception that different rule schemata 
are usually considered to define different rules, whereas we consider them to 
define different sub-cases of one (single) rule. 

We now have everything at hand to define what the tableaux for a set G of 
formulae is and when a tableau is closed. The construction of tableaux for G is in 
general a non-deterministic process, since there may be any — even an infinite — 
number of possible conclusions that can be derived from a given premiss. 
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Definition 5. Given a tableau calculus C for a logic L and a signature E G Sig, 
the set of all tableaux for a finite set F C TabFornaP of tableau formulae is 
inductively defined as follows: (1) A linear tableau whose nodes are labelled with 
the formulae in F is a tableau for F (an initial tableau). (2) Let T be a tableau 
for F, B a branch of T, and C ^ F a conclusion in TZ^{F[) for a premiss 
7T C Form{B). Then a new tableau for F can be constructed from T as follows: 
the branch B is extended by a new sub-branch for each extension E in C, where 
the nodes in that sub-branch are labelled with the tableau formulae in E. 

T is a tableau for a finite set G C Form^ of formulae if it is a tableau for 
the set {cr°:T <p \ (j> G G} of tableau formulae. 

Definition 6. Given a tableau calculus C for a logic L and a signature E G Sig, 
a tableau branch B is closed iff F G TZ^{F[) for a premiss FI c Form{B). A 
tableau is closed if all its branches are closed. 

Conditions 1 and 2 above, which are purely syntactical, still allow calculi to 
behave “strangely”. Formulae could be added to the tableau that syntactically 
encode knowledge derived from a premiss II, but whose semantics (i.e., truth 
value) has nothing to do with that of 77. An extreme example for this is that 
two symbols of the signature are used to encode the formulae in 77 in a binary 
representation, and tableau rules are employed that operate on that binary rep- 
resentation. Such calculi — though they may be sound and complete — cannot be 
fibred in a uniform way as an understanding of the encoding would be needed. To 
assure a more “conservative” behaviour one could impose additional syntactical 
restrictions, for example only allow tableau rules that are analytic. However, the 
property of tableau rules that has to be guaranteed is more of a semantic nature: 
the result of a rule application must be semantically related to its premiss. The 
first semantical condition (Cond. 3) is part of our definition of the semantics of 
tableau formulae and tableaux (Def. 7): 

Condition 3. The labels that are part of tableau formulae represent worlds in 
models, and the truth value signs encode truth and falsehood of a formula; they 
do not contain other information. 

Definition 7. Given a tableau calculus C for a logic L and a signature E G Sig, 
a tableau interpretation for is a pair (m, 7) where m G is a model 

for the extended signature E* and I is a partial function that assigns to labels 
a G Lab^ worlds of m such that 7(cr°) = (i.e., I assigns to the initial 

label cr° the initial world of m). A tableau interpretation (m,7) satisfies a 
tableau formula a:S f G Form^ iff I (a) is defined and (a) S = T and f is true 
in I (a) or (b) S = F and 4> is false in I (a). It satisfies a tableau branch B iff it 
satisfies all tableau formulae on B. It satisfies a tableau iff it satisfies at least 
one of its branches. 

Often, only a subset of all possible tableau interpretations is used to define 
the semantics of a tableaux. For example, to define the semantics of first-order 
tableaux, only tableau interpretations are used whose first part is an Herbrand 
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model. In the following, the set of these tableau interpretations that are actually 
used to define the semantics of a calculus is denoted with Tablnterp^ . 

The next four conditions we impose to make calculi “well-behaved”, which 
are semantical, resemble the properties that a tableau calculus is shown to have 
in a classical soundness and completeness proof. 

Condition 4. Appropriateness of the set of tableau interpretations: If a set G C 
Form^ is satisfiable, then there is a tableau interpretation in Tablnterp^ that 
satisfies the initial tableau for G (which is important for soundness); and, if 
(m*,I) is such a tableau interpretation, then m* can be restricted to a model 
m G that satisfies G (which is important for completeness). 

Condition 5. Soundness of expansion (preliminary version): If there is a ta- 
bleau interpretation in Tablnterp^ satisfying a tableau T and T' is the result 
of applying the expansion rule to T then there is a tableau interpretation in 
Tablnterp^ satisfying T' . 

Condition 6. Soundness of Closure: If a tableau branch is closed then it is not 
satisfied by any tableau interpretation in Tablnterp^ . 

Before Condition 7 can be formulated that establishes completeness of a 
calculus, the notion of a fully expanded tableau branch has to be defined. The 
definition relies on the fact that tableau rules are monotonic (Condition 2); 
without that property of tableau rules, it is difficult to define the notion of fully 
expanded branches in a uniform way. Intuitively a branch is fully expanded if 
no expansion rule application can add any new formulae to the branch. 

Definition 8. Given a tableau calculus C for a logic L and a signature E G Sig, 
a tableau branch B is fully expanded if E C Form{B) for all extensions E in 
all conclusions C G TZ^ (Ft) for all premisses FI c Form{B). 

Condition 7. Completeness: If a tableau branch B is fully expanded and not 
closed then there is a tableau interpretation in Tablnterp^ satisfying B. 

Conditions 4-7 ensure soundness and completeness of a tableau calculus: 

Theorem 1. If a tableau calculus C for a logic L satisfies Conditions for 
all signatures E G Sig then the following holds for all finite sets G C Forrrf' : 
There is a closed tableau for G if and only if G is not satisfiable. 

To be suitable for fibring, a calculus has to satisfy two additional conditions. 
The first of these replaces Condition 5: 

Condition 8. Soundness of expansion: If a tableau T is satisfied by a tableau 
interpretation in Tablnterp^ and T' is the result of applying the expansion rule 
to T, then T' is satisfied by the same tableau interpretation. 
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Intuitively, the reason why Condition 8 has to be used instead of Condition 5 is 
the following: Suppose T is a tableau for a fibred logic L(i, 2 ), the tableau inter- 
pretation satisfies the Li-formulae on some branch B of T, the tableau 

interpretation {m. 2 , 12 ) satisfies the L 2 -formulae on i?, and together they form 
a tableau interpretation of the fibred logic L(i, 2 ) satisfying the whole branch B 
and, thus, the tableau T. Now, if the expansion rule for Li only preserved satis- 
fiability in some model, i.e., the Li-formulae on an extension B' of B were only 
satisfied by some different tableau interpretation I[), then a problem would 
arise if and (m 2 , 12 ) are incompatible and do not form a fibred model. 

Condition 9. If a tableau branch B is fully expanded then every tableau inter- 
pretation in Tablnterp^ satisfying the atoms on B satisfies all formulae on B. 

This last condition ensures that the calculus is “analytical down to the atomic 
level” . It is not a syntactical condition and it does not imply that the calculus 
is analytic in the classical sense. The condition is needed to ensure completeness 
when the calculus is used for fibring. 

Example 2. In a tableau calculus for a modal logic that satisfies Condition 9, it 
must be possible to add the formula t:T p to a tableau branch containing cr:T 2p 
for all labels r representing a world reachable from the world represented by cr. In 
a tableau calculus for classical propositional logic it must be possible to expand 
a branch containing cr:T pM qhy sub-branches containing <j:T p resp. cr:T q, even 
if one of these atoms is pure, i.e., occurs only positively on the branch. 

When the two calculi for propositional and for modal logic are fibred, then 
a propositional atom may indeed be a modal formula; even if it is pure (viewed 
as a propositional atom), it may be unsatisfiable as a modal formula. Thus, for 
example, a propositional calculus must expand the formula cr:T 3 (r A -r) V g so 
that 3(r A ~^r) can be passed on to the modal component of the fibred calculus, 
and its unsatisfiability can be detected. 

Definition 9. A tableau ealculus C for a logic L is suitable for fibring if, for 
all signatures E € Sig, there is a set Tablnterp^ of tableau interpretations such 
that Conditions 4^9 are satisfied (Condition 1-3 are part of the definition of 
tableau calculi resp. tableau interpretations) . 

4 Example: First-order Predicate Logic 

4.1 The Logical System of First-order Predicate Logic 

To specify the logical system Lpli of first-order predicate logic, the set 5f(7pLi 
of signatures and the syntax and semantics of Lppi have to be defined. 

Signatures: The set Sf^ppi consists of all first-order signatures S = {Ps, F^) 
where Ps is a set of predicate symbols and Fs is a set of function symbols. For 
skolemisation we do not use symbols from Fs but from a special infinite set Fff° 
of Skolem function symbols that is disjoint from Fs- The symbols in P^, Fs and 
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ps^o used with any arity n > 0; in particular, function symbols can be 

used as constant symbols (arity 0). 

Syntax: In addition to the predicate and function symbols there is an infinite 
set Var of object variables. The logical operators are V (disjunction), A (conjunc- 
tion), — > (implication), and (negation), and the quantifiers V and 3. Terms, 
atoms, and formulae over a signature S are construeted as usual. As we use a 
calculus without free variables, Forrapj^i is the set of all formulae over E not 
containing free variables, and Atomppi C Formppi is the set of all ground atoms. 

Semantics: A first-order structure {D,X) for a signature S consists of a 
domain D and an interpretation X, which gives meaning to the function and 
predicate symbols of S. A variable assignment is a mapping p, : Var — > D from 
the set of variables to the domain D. The evaluation function val is defined as 
usual; that is, given a structure {D,X) and a variable assignment p, it assigns to 
each formula (f G Form^ a truth value valx,n(4>) G {true, false}. As all models 
must contain a set of worlds (Def. 1), we define Aippi to consist of models 
where the initial and only world is a first-order structure. The relation ^pLi 
is dehned by: 1=pli iff, for all variable assignments p, valx^^{(j)) = true. 



4.2 A Tableau Calculus for First-order Predicate Logic 



To describe our calculus Cppi for first-order predicate logic Lppi, we have to de- 
fine, for each signature S G Sigppi, the extension S* to be used for constructing 
tableaux, the set of labels, the initial label, and the expansion and closure rule. 

Extended signature: Since the function sym- 
bols in Fff° are used for skolemisation, the ex- 



tended signature E* is {Ps,Fs U F§f°). 

Labels: The models of first-order logic consist 
of only one world; it is represented by the label *. 

Thus, Lab^ = {*}, and * is the initial label. 

Expansion and closure rule: The set of ta- 
bleau formulae in TabForm^ that are not literals 
is divided into four classes as shown on the right: 
a for formulae of conjunctive type, j3 for formu- 
lae of disjunctive type, 7 for quantified formulae 
of universal type, and 6 for quantified formulae 
of existential type (unifying notation). To comply 
with Condition 1, which does not allow the appli- 
cation of substitutions (to the whole tableau) , we 
use the classical ground version of tableaux for 
first-order logic (universally quantified variables 
are replaced by ground terms when the 7-rule 
is applied.) To comply with Condition 2, we use 
a 5-rule that does not introduce a new Skolem 
function symbol. Rather, each class of 5-formulae identieal up to variable re- 
naming is assigned its own unique Skolem symbol: 



a 


Ol\, CX2 


*:T ((/) A fj) 
*:F {(j) V f)) 
*:F {(j> — > tp) 
*:T 
*:F —i(/) 


*:T <p, *:T xp 
*:F (/), *:F ^ 
*:T (p, *:F xp 
*:f (p, *:f (p 
*:T (p, *:T (p 




P 


Pi, Pn 


*:T ((/) V xp) 
*:F {(p A xp) 
*:F {(p — > xp) 


*:T <p, *:T xp 
*:f (p, *:f xp 
*:F (p, *:T xp 






li{x) 


*:T (fjx){(p{x)) *:T (p{x) 

*:F (3a:)(0(a;)) (p{x) 




6{x) 


6i{x) 


(yx){(p{.x)) (p{x) 

*:T(3a;)((()(a;)) cp{x) 
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Definition 10. Given a signature S G Sigpj^^, the function sko assigns to each 
6-formula cf G TabForm^ a symbol sko{(j>) G such that (a) sko{(j)) > f for 
all f G Fff° occurring in (j), where > is an arbitrary but fixed ordering on F]f°, 
and (b) for all 6-formulae (j),4l G TabForm^ the symbols sko{4>) and sko{(f) 
are identical if and only if <f> and <ji are identical up to renaming of quantified 
variables. 

The purpose of condition (a) in the above definition of sko is to avoid cycles 
like: sko{(j)) = f, f occurs in 0', sko{(j)') = g, and g occurs in 4>. 

The expansion and closure rule 7 ?-pli of our calculus Cpli is formally de- 
fined as follows: For all premisses U C TabFormppi, the set TZppi{U) of pos- 
sible conclusions is the smallest set containing the following conclusions (where 
a, f3, 7, 6 denote tableau formulae of the corresponding type): (a) {{oi, 0:2}} for 
all a G n, (b) {{Pi},{P 2 }} for all [3 G Ft, (c) {{7i(t)}} for all 7 G il and all 
ground terms t over E* , (d) {{^i(c)}} for all 6 G Ft where c = sko{6) (Def. 10), 
(e) T if *:T (j>, *:F ^ G 7T for any (j) G Formpp^. 

Semantics: We define the semantics of Cppi-tableaux using tableau interpre- 
tations that are canonical in the following sense: 

Definition 11. A tableau interpretation for Cpli is canonical if its first-order 
structure {D,J) satisfies the following conditions: (a) D is the set of all ground 
terms over E* ; (b) for all 6 -formulae 6{x) G TabForm^ and all variable assign- 
ments y.: if vali^fj,{6{x)) = true then vali^^{6i{c)) = true where c = sko{6). 

Using the set Tablnterpppi of canonical tableau interpretations, the calculus 
CpLi satisfies Conditions 4-9. In particular, if a tableau T is satisfied by a canon- 
ical tableau interpretation, then all tableaux constructed from T are satisfied by 
the same interpretation; and every fully expanded tableau branch that is not 
closed is satisfied by a canonical interpretation. 

Theorem 2. The tableau calculus Cppi for Lppi is suitable for fibring. 

5 Example: The Logic Lk of Modalities 

5.1 The Logical System Lk 

As a second example, we use the modal logic K without binary logical con- 
nectives; that is, all formulae are of the form • • • o„ p (n > 0), where p is a 
propositional variable and Oj is one of the modalities 2 , 3 or the negation sym- 
bol — (which is used to avoid confusion with first-oder negation -1). We call this 
logic Lk. The missing connectives are not needed, since Lk is later fibred with 
first-oder logic where they are available (Sect. 8). 

Signatures: A signature E in Sig^_ is an enumerable non-empty set of prim- 
itive propositions. 

Syntax: The formulae in Form^ consist of a single element of E prefixed by 
a sequence of the logical operators 2,3,—. The set Atom k is identical to E. 
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Semantics: The semantics of Lk is defined in the usual way using Kripke 
structures: A model m in consists of (a) a non-empty set W of worlds, one 
of which is the initial world w^, (b) a binary reachability relation on W, and 
(c) a valuation V, which is a mapping from S to subsets of W. Thus, V{p) is 
the set of worlds at which p is “true” . For primitive propositions p, the relation 
|=K is defined by: w p iff w G V{p)\ for complex formulae it is recursively 
defined by: (a) w —0 iff not w </>, (b) w |=k 2^ iff w' |=k </> for all w' 
reachable from w, and (c) w |=k 3</> iff w' 4> for some vu/ reachable from w. 

5.2 A Tableau Calculus for the Logic Lk 

We define a calculus Ck for Lk that uses sequences of natural numbers as labels; 
the world named by a.n is reachable from the world named by a. 

Extended signature: No extension of the signature is needed, thus E = E* . 
Labels: The set La&K of labels is for all E inductively defined by: the initial 
label 1 is a label, and if ct is a label then so is a.n for all natural numbers n. 

Expansion and closure rule: To comply with Condition 2, we use a 7r-rule that 
does not introduce a new label but — similar to the 5-rule in Section 4.2 — uses a 
label that is uniquely assigned to the formula to which the rule is applied. 

The expansion and closure rule of our calculus for the logic Lk is formally 
defined as follows: For all premisses II C TabForm§^, the set 'R\<.{n) of possible 
conclusions is the smallest set containing the following conclusions (where goedel 
is any bijection from Form^ to the set of natural numbers): (a) {{cr.n:T (/>}} for 
all cr:T 2(j) G n and all labels of the form a.n occurring in 77, (b) {{a.n:f (j)}} 
for all cr:F 3(j) G II and all labels of the form a.n occurring in 77, (c) {{cr.n:F 4>}} 
for all cr:F 2<j) G II where n = goedel{(j)), (d) {{cr.n:T <j)}} for all cr:T 30 G 77 
where n = goedel (e) {{cr:F0}} for all a:T —(j) G II, (f) {{<j:T 0}} for all 
cr:F —0 G 77, (g) T if cr:T 0, cr:F 0 G 77 for any 0 G Form^. 

Semantics: The set Tablnterp§^ contains canonical tableau interpretation sat- 
isfying the following condition: 

Definition 12. A tableau interpretation (m, 7) for Lk is canonical if: (a) if 
I (a) is defined and satisfies a:T 30, then I (a.n) is defined and satisfies cr:T 0 
where n = goedel{(f>); and (b) for all numers n, if w = I{a) and w’=I{a.n) are 
defined, then the world uf is reachable from w. 

Theorem 3. The tableau calculus Ck for Lk is suitable for fibring. 

6 Fibring Logical Systems 

To fibre two logics Li and L 2 means to consider a logic whose formulae are 
constructed from symbols and operators from both logics [7, 8] . In a first step 
we consider a logic L(i 2 ) where L 2 -formulae can occur inside Li-formulae but 
not vice versa. 

Example 3. If Li = Lpli and L 2 = Lk, then (Va;)(p(a;)), 2q, x){2p{x)) , and 

(Va;)(2p(a;)) — > (3a;)(3g(a:)) are formulae of L ( 1 ^ 2 ), but 2{\/x){p{x)) is not. 
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The logic L[i_2] = L[2,i] that is the full combination of Li and L2, where 
expressions from the two logics can be nested arbitrarily, can be handled by 
inductively repeating the construction presented in this section. Similarly, it is 
possible to combine three or more logics. 

We consider L(i 2) to be a special case of Li: it contains the formulae of L2 
as (additional) atoms. And, in each world w of an Li-model, the truth value of 
the additional atoms, which are L2-formulae, is the same as that in the initial 
world of an L2-model assigned to w. Thus, an L(i 2)-model consists of an Li- 
model mi and a fibring function F that assigns to each world w in mi an 
L2-model. Intuitively, when an L2-formula is to be evaluated in w, where its 
value is undefined, it is evaluated in m2 = F{w) instead. In most cases, certain 
restrictions have to be imposed on F to make sure that the fibred models define 
the desired semantics. These restrictions are given in form of a relation V between 
Li-models, Li-worlds, and L2-models; a fibring function can be used for an Li- 
model mi if ^(mi, ic, F(i 2) (tc)) holds for all worlds w of mi. 



Example f. A proposition may be represented by different atoms p\ and P2 in Li 
and L2. Then, for the semantics defined by the fibred models to be useful, one 
imposes the restriction that, if p\ is true in a world w of mi then p2 is true in 
the initial world of F{w). 



Definition 13 . Logics Li,L2 are suitable for fibring iff, for all Ei e Sig^ and 
S2 € Sig2, there is a signature .£'(1,2) G Sig^ such that Form^^ C Atom^ 

LetV he a restricting relation between -models, Ei-worlds, andLi2-models. 
Then, the fibred logic L(i,2) is given by: 

Signatures: Sig^^ ^) = {^(1.2) I G Sig^,S2 G %2l- 

Syntax: For all E(^i 2) G 5 * 5 (i, 2 ); is identical to Formf^^'^^ and 

is identical to Atomf^^’’^\ 

Semantics: A model m(i A) G consists of an Ei-model mi e 

and a fibring function F that assigns to each world w in mi an ^2-model m2 
in M-2^ such that (a) V{nii,w,m.2), and (b) w \=i 4> iff F{w) \=2 4> for all 
(f G Formf^. We define [=(1,2) = hi? '^(1,2) = Wi, and 2) = 

Example 5. To fibre Lpli and Lk, we assume that there is an Lx-signature Ak 
for every LpLi-signature ilppi such that the atoms over A'ppi are the primitive 
propositions in Hk- Then, A(pli,k) is an Lppi-signature such that the predicate 
symbols are of the form oi • • • o„ p (n > 0 ) where oi G { 2 , 3 ,—} and p is a 
predicate symbol in A'ppi. 

The fibred logic L(pli^k) is a first-order modal logic, where the modal op- 
erators can only occur on the atomic level. If, however, the fibring process is 
iterated, then the result is full modal predicate logic, because then the logical 
connectives V, A, of Lppi can be used inside modal formulae. 




7 Fibring Tableau Calculi 
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In this section, we describe how to construct — in a uniform way — a calculus for 
a fibred logic '^‘(1,2) from two calculi C\ and C2 for Li and L2. 

Expanding a tableau can be seen as an attempt to construct a model for the 
formula in the root node. If the tableau is closed, then there is no model and the 
formula in the root node is unsatisfiable. A tableau formula cr.T (j> represents the 
fact that, in the constructed model, (f) is true in the world corresponding to cr. 

Now, we have to construct a fibred model and, thus, to represent knowledge 
about a fibred model by tableau formulae. Therefore, labels now are either of the 
form (Ti G Labi denoting a world in the Li-model or of the form (cti; (T2) (where 
(Ti G Labi and CT2 G Lab2) denoting a world in the L2-model that is assigned by 
the fibring function to the world represented by cti in the Li-model. A tableau 
formula ai:T (j) still means that (j) is true in /i(cri); a tableau formula (cri; 172) T (f> 
means that </> is true in the world /2 (ct 2) of the model assigned to /i(cti). 

The combined calculus does not construct separate tableaux for Li- and 
L2-formulae but a single tableau, using a unified (set of) tableau rule(s). 

The only additional assumption we have to make is that the extension of the 
restricting relation V (Def. 13 ) to tableau interpretations can be characterised 
using finite sets of tableau formulae: 



Definition 14. Let Li and L 2 be logics suitable for fibring, let Ci and C2 be 
calculi for Li,L2, let V be a restricting relation (Def. 13), and let Si G Sigi 



and S2 G Sig2- A function that assigns to a finite subset II of TabForm^^ 

and a label ai G Labi a finite set 'P^(iT, cti) of L,2~tableau formulae over the 

non-extended signature S2 characterises V if the following holds for all finite or 
- 

infinite sets II C TabForm, A labels ai G Labi, emd all tableau interpreta- 
tions (mi,/i) G Tablnterp^^ and (m2, 12) G Tablnterpf^ : 

'P(mi, /i((Ti), m2) holds if and only if (a) ii(ui) is defined, (b) Ii{cri) hi II, 
and (c) (mi,/i) satisfies 'P^(iT, <Ji) for all finite subsets II of n. 



Of course, the fibred calculus can only be implemented if the function 
is computable; for a semi-decision procedure, it is sufficient if V'^{II, ai) is enu- 
merable for all n and ai. 



Example 6. The following function can be used to characterise the (simple) re- 
striction from Example 4 : 'P^(i 7 , cti) = {crhSp2 | exi'.Spi G 11} where (T2 is the 
initial label of C2. 



The expansion and closure rule of the fibred calculus C(i,2) constructed from 
Cl and C2 has four components: ( 1 ) the expansion rule of Ci, which can be applied 
to Li-tableau formulae; ( 2 ) the expansion rule of C2, which can be applied to 
L2-tableau formulae with a label of the form (cri;cr2); ( 3 ) a transition rule that 
allows to derive (cti; CT2):S 02 from cri:S 02 if 02 is an L2-formula (in that case 
02 has to be expanded by the C2-rule), i.e., if an L2-formula 02 is true in an 
Li-world w = Ii{<Ji) then it is true in the initial world of the L2-model assigned 
to w, ( 4 ) a rule implementing the restriction relation, i.e., if the formulae in U 
occur on a branch and (J 2 :S 02 G V'^{II,ai) then (<Ji; CT2):S 02 may be added. 
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Definition 15. Let be logics suitable for fibring; let Ci,C 2 be calculi for 

logics Li,L 2 , and let these calculi be suitable for fibring; let V be a restricting 
relation characterised by the function V'^ (Def. 14)- Then, the fibred calculus 
C(i, 2 ) is, for all Ei € Sigi,S 2 G Sig 2 , defined by: 

Extended Signature: The extension of TJ(^i, 2 ) is the signature 2 ) ii^ot is 
associated with and according to Definition 13. 

Labels: Labf^^lf^'’ = Labi U {((Ti;cr 2 ) | € Labf\a 2 G Lab^^}; the initial la- 

bel cr°j^ 2 ) is the initial label crj if Ci. 

Expansion and closure rule: For all premisses LI C Tab Form , the set 

T^(i. 2 ){n) is the smallest set containing: 

1. the conclusions in HfiLIi) where 77i consists of all tableau formulae of the 

X* 

form (Ti:S in II such that (j> G Form^ ^ (expansion rule of Ci), 

2. for all tJi G Labi the conclusions that can be constructed from the con- 
clusions in 7?-2(Lf2.(Ti ) replacing 02 by { 01 , 02 ); the set Il 2 ,cri consists of 
all tableau formulae of the form 02 '.S(j> such that {oi; 02 )'.S <p is in II and 
4> G Form^ ^ (expansion rule of C 2 ), 

3. the conclusion {{(cti; cr®)'^ 9^'}} for all tableau formulae of the form o\:S(j) 

X* 

in n such that </> G Form 2 ^ (transition rule) , 

4- for all oi G Labf''^’^^ and all subsets ili of II (see point 1 above), the con- 
clusion {V^ {FIi,oi)} (restriction relation). 

Theorem 4. The fibred calculus C(i^ 2 ) that is constructed according to Defini- 
tion 15 is suitable for fibring, i.e., it satisfies Conditions 4^9 in Section 3. 

Corollary 1. The fibred calculus C(i^ 2 ) that is constructed according to Defini- 
tion 15 is a sound and complete calculus for h;i 2 ), i.e., there is a closed tableau 
for G G Form^^^’^'’ if and only if G is not satisfiable. 

8 Fibring Calculi for Predicate and Modal Logic 

As an example, we fibre the calculi Cpli for first-order predicate logic Lpli in- 
troduced in Section 4.2 and the calculus Ck for the logic Lk of modalities defined 
in Section 5.2. The result is a calculus C(i, 2 ) for first-order modal logic where the 
modal operators can only occur on the literal level (Example 5). Since, in this 
case, there is no additional restriction on which LK-models may be assigned to 
worlds in LpLi-models, the function V'^{II,a) characterising the fibring restric- 
tion (Def. 14) is empty for all formula sets II and labels a; therefore, the tableau 
expansion rule that implements the restriction relation is never applied. 

Due to space restrictions, we cannot list the tableau expansion and closure 
rules of the fibred calculus, which can easily be constructed by instantiating the 
calculi Cl and C 2 in Definition 15 with Cppi resp. Ck- Instead, we prove the 
formula 



G = {\/x){2p{x)) [-n{3y){3-p{y)) A ^{3z){3-p{z))] 
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to be valid in all models of the logic L(i^ 2 ) = L(pli,k), using the fibred calculus 
C(i.2) = C(PLi,K) to construct a closed tableau for ->G. 



The closed tableau shown on the i *:T-((Vx)(np(x)) ^ h( 3 !,)(o-p(!/)) a-( 3 z)(o-p(z))]) 
right is constructed as follows: Tableau 2 *:F (Vx)(np(x)) ^ h(3p)('o-p(p)) a^(3z)(o-p(z))] 
formula 1 is put on the tableau ini- *:T(Vx|(npp)) 

tially; then formulae 2-7 are added us- a-(3z)(o-pP)) 

mg the a- and p-rules of Cpli- The ^ *:T( 3 p)(o-p(p)) is *:T( 3 p)(o-p(p)) 
^-rule of CpLi is applied to derive 8 s *:To‘-p(ci) lo *To'-p(ci) 

from 7, using the Skolem constant Cl = 9 (*; i):t'o-p(ci) it (*; i):t'o-p(ci) 

sko{(3y){3—p{y))). Since 8 is an Lk- (*; i.i):T-p(ci) is (*; i.i):T-p(ci) 

formula, the transition rule is applied ” (*, 11 ) Fp(ci) 19 (*, i.i) Pp(ci) 

to add 9 to the branch, which then al- „ (..pdnpf,,) 21 (*; i):Tnp(ci) 

lows to apply the Lx-expansion rule n (*; i.i)'tp(ci) 22 (*; i.i)'tp(ci) 

to derive 10 from 9 (we assume that -L -L 

goedel{3—p{c\)) = 1) and to derive 11 

from 10. At this point, the 7-rule of Lppi is applied to 3 to derive 12, replacing 
the universally quantified variable x with the ground term Ci (which shows that 
Li- and L2-rules can be applied in an arbitrary order). Finally, the transition 
rule is applied to 12 to derive 13, and the Lx-rule for 2-formulae is applied to 
derive 14. At this point, the left branch of the tableau is closed by the Lx-closure 
rule, because it contains the complementary atoms 11 and 14. The right branch 
is expanded and closed in the same way. 



>:T(3p)(0-p(p)) 16 *:T(3p)(0-p(p)) 



8 *:TO-p(cj) 

9 (*; 1 ):T' 0 -p(ci) 
10 (*; l.l):T-p(ci) 
11 (*; l.l):Fp(ci) 
12 *:T np(ci) 

13 (*; l):Tnp(cj) 

14 (*; l.l):Tp(ci) 



IG 4:T0— p(ci) 

17 (*; 1 ):T' 0 -p(ci) 

18 (*; l.l):T-p(ci) 
19 (*; l.l):Fp(ci) 

20 4:Tnp(ci) 

21 (*; l):Tnp(ci) 

22 (*; l.l):Tp(ci) 



The full power of the fibring me- (*; l.l):T-r(ci) v -s(ci) 

thod is revealed when the fibring pro- 14/ (*; ].]):Tr'(ci) a «(ci) 

cess is iterated to construct a calcu- 23 (*: l.l: *):Tr(ci) a «(ci) 

lus C[pli,k] for the full modal predi- 24 (*: l.l; *):Tr(ci) 

cate logic Lppi^K]; this is possible be- 25 (*: i.i; ():Ts(ci) 

cause the calculi C(x2)>C(i,(2,i))5 ■ ■ ■ are 20 (*; i.i; *):T-'r(ci) v-«(ci) 

all suitable for fibring. As an example, 27 (*: l.l: *):T-r(ci) 31 (^. 1 ; *):T-s(ci) 

we use C[PL1,K] to prove that the for- 28 (*; l.l; *; l):T-r(ci) 32 (*; l.l; *; i):T-s(ci) 
mula is valid in all models of L[pli,k] 29 (*; l.l; *;'l):Fr(ci) 33 (*: l.l; *;'l):Fs(ci) 

that is constructed from G replacing 30 (*; l.l; *;'l):Tr(ci) 34 (*; l.l; *;'l):Ts(ci) 

the literal p{x) by r{x) A s(x) and re- 1 1 

placing the literals —p{y) and —p{z) by 

—r{y) V —s{y) resp. —r{z) V — 5 ( 2 :). The construction of the tableau starts as 
above for G. We only consider the left branch (the right branch can be closed 
in the same way). Instead of the literals 10 and 14, the branch now contains 
10' = (*; 1.1):T — r(ci) V — s(ci) and 14' = (*; 1.1):T r(ci) A s(ci). The expan- 
sion of the branch continues as shown above (to simplify notation, we write 
(*;1;*) instead of (*;(!;*)), etc.). The tableau formula 14' contains an Lppi- 
formula. Therefore, the transition rule is applied, and 23 is derived from 14'; this 
is the transition rule of the calculus C(k.pli) that, during the iteration process, 
has been fibred with Cppi to construct C(pli,(k.pli))- The a-rule of Lppi is used 
to derive 24 and 25 from 23; then, 26 is derived from 10' by again applying the 
transition rule, and the /3-rule is applied to derive 27 and 31 from 26. The lit- 
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eral —p{ci) in 27 contains the modal and not the first-oder negation sign. Thus, 
the transition rule has to be applied again to derive 28, which then allows to 
derive 29 by applying the rule for modal negation. The atomic tableau formulae 
24 and 29 cannot be used to close the branch, because their labels are different. 
Thus, the transition rule is applied a last time to derive 30 from 24. Then, the 
branch is closed by 29 and 30. 

9 Conclusion 

We have presented a uniform method for constructing a sound and complete 
tableau calculus for a hbred logic from calculi for its component logics. Condi- 
tions have been identified that tableau calculi have to satisfy to be suitable for 
fibring; the conditions are neither too weak nor too strong. Since tableau calculi 
are already known for most “basic” logics, it is possible to construct calculi for 
all “complex” logics that can be constructed by fibring basic logics. The main 
advantages of a uniform framework for fibring calculi are: 

To construct a calculus for the combination Lp 2 ] of two particular logics, no 
knowledge is needed about the interaction between calculi for Li and L 2 . Thus, 
a calculus for the combination L[i, 2 ] can be obtained quickly and easily. 

Soundness and completeness of the fibred calculus does not have to be proven; 
it follows from Theorem 4 if the fibred calculi are suitable for fibring. 

A calculus Cl for a logic Li can be fibred with a calculus C 2 for a “sub- 
logic” L 2 of Li (for example, propositional logic is a sub- logic if predicate logic); 
although Cl can handle the whole logic Li , the calculus C 2 may be more efficient 
for formulae from L 2 such that the fibred calculus C(i^ 2 ) is more efficient than Ci. 
This can be seen as a generalisation of the theory reasoning method. 

Acknowledgement. We thank Guido Governatori and two anonymous referees 
for useful comments on an earlier version of this paper. 
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Abstract. Set theory is the common language of mathematics. There- 
fore, set theory plays an important role in many important applications 
of automated deduction. In this paper, we present an improved tableau 
calculus for the decidable fragment of set theory called multi-level syllo- 
gistic with singleton (MLSS). Furthermore, we describe an extension of 
our calculus for the bigger fragment consisting of MLSS enriched with 
free (uninterpreted) function symbols (MLSSF). 



1 Introduction 

Set theory is the common language of mathematics. Therefore, set theory plays 
an important role in many important applications of automated deduction. For 
example, some of the most widely used specification languages, namely the Z and 
B specification languages, are completely based on set theory. For other langu- 
ages, sets are at least a very important construct, frequently used in specifica- 
tions either on the meta-level or as a data structure of the specified programs. 
Set theoretic proof obligations occur both as part of proving an implementation 
to be sound w.r.t. a specification and as part of immanent reasoning (such as 
consistency checks, proving invariants, pre- and post-conditions). 

Set theoretic reasoning, i.e., employing special purpose techniques instead of 
using the axioms of set theory, is indispensable for automated deduction in real 
world domains. Automated deduction tools can, for example, be integrated into 
interactive software verification systems and relieve the user from the need to 
interactively handle simple set theoretic problems that do not require his or her 
intuition but merely a combinatorial search. 

In this paper, we present an improved tableau calculus for the decidable frag- 
ment of set theory called Multi-level Syllogistic with Singleton (MLSS). Further- 
more, we describe an extension of our calculus for the bigger fragment consisting 
of MLSS enriched with free (uninterpreted) function symbols (MLSSF). 

Multi-level Syllogistic (MLS) consists of quantifier-free formulae built using 
the set theoretic predicates membership, equality, set inclusion, the binary fun- 
ctions union, intersection, set difference, and a constant representing the empty 
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© Springer- Verlag Berlin Heidelberg 1998 




94 



B. Beckert and U. Hartmer 



set. In the extension MLSS of MLS, n-ary functions {•}„ can be used to construct 
singletons, pairs, etc. 

The expressiveness of MLSS is sufficient for many applications. MLSS formu- 
lae can contain variables, which are implicitly universally quantified. The main 
restriction is that there is no existential quantification; thus, sentences such as 
“there is an infinite set” cannot be formalised within MLSS. 

Our calculus for MLSS, which is a sound and complete decision procedure, 
is an extension of the tableau-based calculus for MLSS that Cantone described 
in [4]. It does not require formulae to be in normal form, whereas Cantone’s 
calculus only contains rules for normalised MLSS literals (which are not allowed 
to contain complex terms) and relies on a pre-processing transformation for 
normalising formulae. The handling of free function symbols in the extended 
calculus for MLSSF employs if-unification techniques for reducing the search 
space by finding term pairs that, when shown to be equal, close a tableau branch. 

Several methods for handling set theory in tableaux or the sequent calculus 
(without the restriction to a certain fragment) have been proposed: In [2], Brown 
presents a first-order sequent calculus that contains special rules for many set 
theoretic symbols. De Nivelle [10] and Pastre [14] introduce sequent calculi for 
set theory. Shults [15] describes a tableau calculus with special set theoretic 
rules. All these calculi, however, are incomplete (no semi-decision procedures). 

Decision and semi-decision procedures for various extensions of MLS have 
been described in the literature; these, however, are not based on tableaux but 
are highly non-deterministic search procedures and are not suitable for imple- 
mentation; an overview can be found in [5,6]. Extensions of MLS that are known 
to be decidable include: MLS with powerset and singleton [3,7], with relational 
constructs [9], with unary union [8], and with a choice operator [11]. 

This paper is structured as follows: In Sect. 2, we define the syntax and 
semantics of the fragments MLSS and MLSSF of set theory. In Sect. 3, we intro- 
duce those parts of our calculus that are not specific for set theoretic formulae. 
In Sect. 4, we describe our calculus for the fragment MLSS; and in Sect. 5, we 
extend the calculus for handling the fragment MLSSF including free function 
symbols. As an example, we present a proof for an MLSSF formula in Sect. 6. 
Finally, in Sect. 7, we draw conclusions and discuss future work. Due to space 
restrictions, proofs are not included in this paper; they can be found in [12]. 

2 Syntax and Semantics 
2.1 Syntax of MLSS and MLSSF 

We handle two classes of set theoretic formulae: The first are formulae in the 
fragment multi-level syllogistic with singletons (MLSS); this is the quantifier free 
fragment of set theoretic formulae using (a) the set theoretic predicate symbols 
E (membership), « (equality), E (set inclusion), (b) the set theoretic function 
symbols □ (intersection), U (union), \ (set difference), and {•}« with arity n > 1 
(singleton, pair, etc.), and (c) the set theoretic constant 0 (the empty set). As 
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usual, the binary function and predicate symbols are written in infix notation, 
and {•}„ is written in circumfix notation.^ The second fragment, called MLSSF, 
is the extension of MLSS by free function symbols that have no special set 
theoretic interpretation. 

In the following, we assume that a fixed signature is given consisting of a set 
Var of variables, a set Const of constants, and a set Func of function symbols. 

Definition 1. The set of pure set terms is inductively defined by: (1) All va- 
riables X G Var, all constants c G Const, and 0 are pure set terms. (2) Ifti,t 2 
are pure set terms, then t\ □ t 2 , t\ U t 2 , and ti \ t 2 are pure set terms. (3) For 
all n > 1, if t\, . . . ,tn are pure set terms, then {ti, . . . , t„}„ is a pure set term. 

The set of set terms is inductively defined by: (1) All pure set terms are set 
terms. (2) If f € Func is a function symbol of arity n > 1 and ti, . . . ,tn are set 
terms, then f{ti, . . . ,tn) is a set term. 

A set term is called functional if it is of the form f{t \ , . . . , t„) . 

Note that functional set terms can contain non-functional set terms (which 
are not necessarily pure) and vice versa. 

MLSS and MLSSF are built using the logical connectives V (disjunction), 
A (conjunction), -i (negation), and — >■ (implication). Formulae that are identical 
up to associativity of V and A are identified. 

Definition 2. Ift\,t 2 are pure set terms (resp. set terms), then ti Ct 2 , ti ~ t 2 , 
and ti C t 2 are MLSS (resp. MLSSF ) atoms. If p is an MLSS (MLSSF) atom, 
then p and ~^p are MLSS (^MLSSF ) literals. 

The sets of MLSS and MLSSF formulae are inductively defined by: (1) All 
MLSS (MLSSF) literals are MLSS (MLSSF) formulae. (2) If fijif are MLSS 
(MLSSF) formulae, then -^(f and (j> ^ i) are MLSS (MLSSF) formulae. (3) If 
4>i, . . . ,4>n are MLSS (MLSSF) formulae, then A • • • A </>„ and </>i V • • • V </>„ 
are MLSS (MLSSF) formulae (n > 2). 

To simplify notation, we use the negative versions 9 ^, and ^ of the predicate 
symbols E, «, and E, where s is an abbreviation for ->{s Et), etc. 



2.2 Semantics 

We use the semantics of set theory (and thus its fragments MLSS and MLSSF) 
as it is defined by the ZF axiom system or, equivalently, by the von Neumann 
hierarchy (cumulative hierarchy) of sets (see for example [13] for a detailed dis- 
cussion of the semantics of set theory). 

Definition 3. Let Ord denote the class of all ordinals. The von Neumann hier- 
archy of sets is defined byV = UaeOrd where (1) Vo = 0, (2) Va = U/3<a 
for each limit ordinal a, and (3) Vq+i is the powerset ofVa for each ordinal a. 

^ To avoid confusion we use the non-standard symbols E, «, E,n,U,0 on the object 
level and the standard symbols G, =, C, fl, U, 0 on the meta level. 
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We only define the semantics of the fragment MLSSF ; the semantics of MLSS 
is the same as that of MLSSF for the case of an empty set of function symbols. 

Definition 4. A set structure M = (D,I) consists of a domain D and an 
interpretation I with the following properties: The elements of D are sets in the 
von Neumann hierarchy; D is closed under the set operations fl, U, \, and {•}„ 
(n > \), and it contains the empty set; I interprets (1) each constant symbol 
c G Const by an element of D, (2) each function symbol f G Func of arity n by a 
function D" D, (3) the constant 0 by the empty set, (4) the predicate symbols 
by their canonical interpretations, i.e., E by ^ by the identity relation, and 
E by C, (5) the set theoretic function symbols by their canonical interpretations, 
i.e., U &?/ U, n by n, \ by \, and {•}„ by {•}„ (n > 1 ). 

Definition 5. Given a set structure M = {D,I), a variable assignment is a 
mapping p, : Var — >■ D from the set of variables to the domain D. The combina- 
tion of M and a variable assignment p, associates (by structural recursion) with 
each set term t an element valM.fj.{t) of D; and it associates with each MLSSF 
formula (j> either true or false. A formula 4> is true in M (and M is a model 
of 4>) if, for all variable assignments p,, valM,fj.{4>) = true; else ([) is false in M. 

Definition 6. An MLSSF formula (j> is satisfiable if there is a set structure M 
such that 4> is true in M; (f> is valid if it is true in all set structures. 

3 Tableaux for Quantifier-Free Formulae 

In this section, we introduce those parts of our calculus that are not specific for 
set theory. In particular, we define the expansion rules for logical connectives. 

The non-literal MLSS and MLSSF formulae are divided into two classes: 
a for formulae of conjunctive type and (3 for formulae of disjunctive type. In 
the left part of Table 1, the expansion rules for a- and /3-formulae are given 
schematically. Premisses and conclusions are separated by a horizontal bar, while 
vertical bars in the conclusion denote different extensions. The tableau expansion 
rule corresponding to a formula </> is obtained by looking up the formula type 
of (j) in the right part of Table 1 and instantiating the matching rule schema. The 
formulae in an extension are implicitly conjunctively connected, and different 
extensions are implicitly disjunctively connected. We use n-ary a- and /3-rules, 
i.e., when the /3-rule is applied to a formula tp = 4>i \/ ... \/ (/)„, then xp is broken 
up into n subformulae (instead of splitting it into two formulae </>i V . . . V </>r and 
(pr-\-l V ... V (pn)- 

Below, tableaux and tableau proofs are defined in general; which expansion 
rules (besides those for the logical connectives) and which closure rules are to 
be used is described in the following sections. 

Definition 7. An MLSS tableau (an MLSSF tableau^ is a finitely branching 
tree whose nodes are MLSS formulae (MLSSF formulae). A branch in a ta- 
bleau T is a maximal path in T (where no confusion can arise, a branch is often 
identified with the set of formulae it contains). 
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Table 1. Rule schemata for a- and /3-formulae, and correspondence between non- literal 
formulae and rule types. 



a (5 

ai /3i I • • • I /3n 



a 


«1, . . . , On 


P 


Pi,.. . ,Pn 


pi A... Apn 


(^1 , . . . , <pn 


</<i V . . . V 


01, , (pn 


-'((/>! V ... V pn) 


^pl,...,^pn 


^{pl A ... A pn) 


-•pi, ..., -'pn 


^{P p) 


P, -np 


p ^ p 


-.</), p 


^^P 


P 





Given an MLSS (MLSSF) formula 4> and a set of tableau expansion rules, the 
tableaux for (j) are (recursively) defined by: (1) The tree consisting of a single node 
labelled with 4> is a tableau for (j> (initialisation rule). (2) Let T be a tableau for 4>, 
B a branch ofT, and let the premiss of one of the expansion rules occur on B. If 
the tree T' is constructed by extending B by as many new linear subtrees as the 
tableau expansion rule has extensions, where the nodes of the new subtrees are 
labelled with the formulae in the extensions, then T' is a tableau for (p ( expansion 
rule). 

Since the free variables in quantifier-free formulae are implicitly universally 
quantified, a formula 4>{x) is valid if and only if a Skolemisation ~'4>{c) of its 
negation is unsatisfiable. Thus, free variables can be eliminated, and a tableau 
calculus for formulae without free variables is sufficient for checking the validity 
of a given formula </>. 

Definition 8. Given an MLSSF formula . . . , x„), where x\, . . . ,Xn are 
the (free) variables in (p (n >0), a formula (p{ci, . . . , c„) is a Skolemisation of p 
if Cl, ... ,c„ are constants that do not occur in p{x\, . . . ,Xn). 

Definition 9. A tableau T is a tableau proof for an MLSS/MLSSF formula p, 
if (1) T is a tableau for a Skolemisation of ~ip (Def. 8), and (2) all branches 
ofT are closed (Def 10). 

4 A Tableau Calculus for MLSS 

In this section, we present tableau expansion rules that — in combination with 
the expansion rules for the logical connectives — represent a sound and complete 
calculus for MLSS, i.e., for formulae built using only pure set literals. It can 
easily be turned into a decision procedure (see Sect. 4.5). 

Since the (negation of) the formula to be proven is first Skolemised and is 
then split into literals using the rules for logical connectives, it is sufficient to 
define expansion rules for handling pure, variable free set literals. 

4.1 Expansion Rules for Splitting Complex Set Terms 

The first group of expansion rules applies simple set theoretic lemmata such as 
“if s G U ^2 then s G or s G tf' to (a) eliminate literals containing the 
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set inclusion predicate C and replace them with (in-)equalities, and to (b) split 
complex terms on the right side of the membership predicate E into their con- 
stituents. These rules can be described using the a- and /3-rule schemata (left 
part of Table 1); the formula and rule types are listed in Table 2. 



Table 2. Rule types for splitting complex set terms. 



Name 


a 


0 /.\ , . . . , Oi-n 


(Rl) 


s E t 


s « s n t 


(R2) 


s g t 


s 9 ^! s n t 


(R3) 


s E ti n t2 


s E ti, s E t2 


(R4) 


S Etl \ t2 


S E tl, S 


(R5) 


S^tlUt2 


S ^ tl, S ^t2 


(R6) 


S ^ {tl, . . . ,t„}n 


s ^ h,. . . ,s ^ 



Name 


13 


/3l , • • • , /3n 


(R7) 


S E tl U t2 


s E ti, s E t 2 


(R8) 


s ^ ti n t 2 


S ^ tl, S ^ t2 


(R9) 


s ^tl\t 2 


S ^ tl, S E t2 


(RIO) 


S E {tl , • • • , in }n 


S ~ il, . . . , S ~ tn 



4.2 Expansion Rules for Handling Equality and Inequality 

There are three types of special rules for handling the equality and inequality 
of sets. First, there are two rules ((EQl) and (EQ2) in Table 3) that allow to 
“apply” an equality ti « t 2 to other literals in a very restricted way: an equality 
can only be applied at the top level and only to the right side of an atom whose 
predicate symbol is E. That is, an equality can only be applied to derive one of 
the atoms s E and s E ^2 from the other one. This restriction is important, 
because the possibility to apply equalities arbitrarily to other literals would lead 
to a much larger search space. 

Second, it is possible to derive si ^ S 2 from si Et and S 2 (rule (Rll) in 
Table 3). This rule is based on the fact that two objects are different if one of 
them is an element of some set and the other is not. 

Third, the opposite of the above holds as well: if two sets ti and t 2 are 
different, then one of them contains an element c that is not element of the 
other set. Unfortunately, this leads to a branching rule (rule (R12) in Table 3), 
because c can be an element of U (and not of ^ 2 ) or of ^2 (and not of U). A new 
constant has to be introduced representing the unknown element c. 



Table 3. Rules for handling equality and inequality, and the restricted cut rule. 



tl ~ t2 


tl « t2 


Si Et 


tl 9^ t2 


s E t|s ^ t 


s Eti 


S Et2 


S2 ^ t 


c Eti 


C ^tl 


s Et 2 


s Eti 


Si 9^ S2 


c ^t 2 


c Et 2 


where s resp. {. . . , s, . . .} 


(EQl) 


(EQ2) 


(Rll) 


where c is a constant 
new to the tableau 


and t resp. {. . . , t, . . .} are 
top-level terms on the branch 



(R12) (Cut) 




A Tableau Calculus for Quantifier-Free Set Theoretic Formulae 



99 



4.3 The Cut Rule 

The cut rule (Table 3) may be applied to extend a tableau branch B using as cut 
formula atoms s E t where the set terms s and t occur (a) as top-level arguments 
of a literal on B, or (b) as arguments on the second level if the top-level function 
symbol is {•}«. In practice the cut rule is rarely needed to find a proof; it is, for 
example, needed to detect implicit membership cycles on a branch; see Sect. 4.4. 

Example 1. If E {t2, (^3 FI t4)} and ts □ tg ~ tr are literals on the branch, then 
(^3 n ^ 4 ), (tg n te),tf may be used in a cut rule application and 1 ^, 14 , 
may not be used. 

4.4 The Closure Rules 

Tableau expansion rules add formulae to a tableau branch being true in all set 
structures that are models of the expanded branch; the purpose of closure rules 
is to detect inconsistencies, i.e., formulae on a branch that are false in all set 
structures. There are four types of inconsistencies that have to be considered: 
(1) In no set structure both a formula (j) and its complement -<4> are true; thus, 
a pair <j), -<<j) is inconsistent (for completeness it is sufficient to only consider 
complementary literals). (2) No object is an element of the empty set; therefore, 
a literal of the form t E 0 is inconsistent. (3) As no object is different from itself, 
literals of the form t ^ t are inconsistent. (4) The existence of a membership 
cycle, i.e., of sets u\, . . . ,Uk such that Ui G {1 < i < k) and Uk € ui, would 
contradict the Axiom of Foundation. In fact, there are by construction no sets 
in the von Neumann hierarchy that form a membership cycle. Thus, literals 
defining a membership cycle are inconsistent; in particular, t Et is inconsistent. 

Definition 10. A tableau branch B is closed if it contains (1) a complementary 
pair 4> and ->4> of literals, (2) a literal of the form t E 0 , (3) a literal of the form 
t^t, or (4) for some k > 1, literals ti Eti+i (1 < i < k) and tk Eti. 

4.5 Sonndness, Completeness, Termination 

The calculus for MLSS described in the previous sections is sound and complete: 



Theorem 1. An MLSS formula 4> is valid iff there is a tableau proof for (f using 
the expansion rules from Tables 1-3 and the closure rule from Def. 10. 

Without further restrictions, the calculus is not a decision procedure. The 
rule for inequalities ((R12) in Table 3) introduces new constants, and the cut 
rule can — in connection with rule (Rll) — construct new inequalities from the 
new constants; the interaction of these rules can lead to infinite branches. 

Fortunately, the calculus can easily be turned into a decision procedure, ob- 
serving the fact that chains ci , C 2 , . . . where Ci is derived applying the inequality 
rule (R12) to an inequality that contains the constant Ci_i cannot be infinite; 
their length is bounded by the number of (sub-)terms in the initial tableau: 
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Definition 11. The rank rank{s) of a set term s in a tableau for an MLSS 
formula (p that has been constructed using the expansion rules from Tables 1-3 
and the closure rule from Def. 10 is defined as follows: If s occurs in </> or has 
been generated by an application of rules (Rl) and (R2), then rank{s) = 0; 
otherwise, i.e., if s is a constant that has been introduced by applying rule (R12) 
to an inequality t\ 9 ^ t 2 , then its rank is rank{s) = 1 + max{ranfc(ti), rank{t 2 )}- 

Definition 12. A tableau T for an MLSS formula </> is exhausted, if no tableau 
expansion rule can be applied to T without either adding a constant whose rank 
is greater than the number of (sub-)terms in the root node ofT or adding only 
formulae to a branch B that already occur on B. 

Theorem 2. There is an exhausted tableau for an MLSS formula 4> if and only 
iff) is satisfiable. 

Thus, if a tableau for the Skolemisation of the negation of an MLSS formula p 
is constructed in a, fair way (i.e., all possible rule applications are executed sooner 
or later), then the construction will terminate after a finite number of steps with 
a tableau that is (a) closed, in which case p is valid, or (b) exhausted, in which 
case (j) is not valid. 

4.6 Restricting the Search Space 

Although it is finite, the search space for a tableau proof is large because of the 
indeterminism of the cut rule, and because the number of new constants that 
can be introduced is exponential in the size of the formula to be proven. 

Fortunately, it is possible to impose a strong restriction on cut rule appli- 
cations, which at the same time restricts the number of new constants that 
are introduced, because a constant Ck of rank k can only be deduced from a 
constant Ck~i of rank k — 1 after the cut rule has been applied to a literal con- 
taining Ck-i- The idea is to apply all rules except the cut rule until no further 
applications are possible, and then to construct a realisation of open branches. 
The realisation of a branch B approximates a model for B (if the branch is satis- 
fiable); it satisfies at least all literals of the form t\ Et 2 on B. If the realisation 
does not satisfy all the other literals on B as well, it can be used to find cut rule 
applications that are (at least potentially) useful. 

The switching between the expansion of tableau branches and the construc- 
tion of possible models, and the way in which we construct models are similar 
to the method Cantone describes in [4]. 

Definition 13. Let T be a tableau for an MLSS formula (p, and let B be a 
branch ofT- Then, G is the set of all (sub-)terms occurring in <p; V is the set 
of all terms t € G such that f E s occurs on B and of all constants in p; T is 
the set of all constants on B that are not in V; ~ is the equivalence relation on 
Gut induced by the equalities on B; T' is the set of all c G T such that c ^ s 
for all s G G; V is the set {V UT)\ T' ; Uc is, for each c G T' , an element ofV 
different from all Uc> for c yf c'. 
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Note, that T' contains the new constants that have been introduced by ap- 
plying the inequality rule (R12) and that are not equal to other terms (w.r.t. 
the equalities on the branch). The interpretation of these constants has to be 
different from the interpretation of all other terms, whereas different terms in V' 
may have the same interpretation. 

Definition 14. Let B he a branch of a tableau for an MLSS formula 4>, and let 
t he a set term on B. Then the set P{f) of implicit predecessors oft is defined by: 
(1) P{0) — ill; (2) P{c) = {s G V UT \ s on B} if c G Const; (3) PftiUt 2 ) = 
P{h)\JP{t 2 ); (4) P{ti n h) = P{h) n P{t 2 ); (5) P{h \ h) = P{h) \ P{h); and 
(6) P{{ti, . . . ,tn}n) = {s G FUT I s E{ti, . . . ,t„}„ on B}yj{ti,...,tn}- 

The sets of implicit predecessors can be used to detect implicit membership 
cycles. If, for example, s G P{t),t G P{s) for some terms s,t, then the branch 
can be closed, and it is not necessary to apply expansion rules (especially the 
cut rule) to make the cycle explicit. Thus, using the predecessor sets we can add 
another closure rule: 

Definition 15. A tableau branch B is closed if it is (a) closed according to 
Def. 10 or (b) its sets of implicit predecessors contain a cycle, i.e., there are 
(sub-)terms ti, . . . , on B such that t\ G P{t 2 ), ■ ■ ■ , tn-i G P{tn), tn G P{t\). 

The set P{f) of implicit predecessors contains those terms denoting elements 
of t whose membership can be deduced from literals on B of the form s E a (where 
a G Const) and applying the definition of the set operators. The realisation of a 
branch goes beyond that: it is a partial definition of a set interpretation (different 
terms may be interpreted by the same set). 

Definition 16. Let B he a branch of a tableau for an MLSS formula 4>, and let 
t he a set term on B. Lf B is not closed (Def. 15), then the realisation TZ of B is 
defined by:"^ (1) 1Z{t) = 0 z/t = 0, (2) TZff) = {7^(s) | s G P{t)} U {ut} iftG T' , 
and (3) TZ(t) = {TZ{s) \ s G P{t)} otherwise. 

The realisation can be effectively computed and can be used to restrict the 
application of the cut rule: provided B is exhausted w.r.t. all other expansion 
rules, the cut rule has only to be applied to terms occurring in literals which are 
not satisfied by the realisation of B (if there is no such literal, then B is satisfiable 
and we are done). If, for example, t\ \fit 2 occurs on B but TZfti) G TZ{t 2 ), then 
there has to be a term s such that (a) TZ{s) = TZ{ti), i.e., the realisation of s is 
the same as that of t\, and (b) s is an implicit member of t 2 , i.e., s G P{t 2 ) — but 
that membership is not (yet) made explicit on the branch (there is no literal 
s Et 2 on B). In that case, the cut rule is applied to the literal s Et 2 - 

^ One has to make sure that the uSs are different from TZ{t) for all terms t\ it is always 
possible to choose such uSs. 
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Now everything is at hand to define the restricted version of the cut rule: 

Definition 17. The restricted cut rule (Cut’) is identical to rule (Cut) in Ta- 
ble 3 with the exception that (1) it may only be applied to extend a tableau 
branch B that is not closed (Def. 15) and is exhausted w.r.t. all other expansion 
rules; and (2) it may only be applied to a cut formula s EL t satisfying one of the 
following conditions 

— t Kit' is on B, TZ(f) yf 'R-{t'), and (a) s G P{t), s ^ P{t'), s Lfit is not on B, 
or (b) s G P(t'), s ^ P(t), and s Et' is not on B; 

— t ifi t' , c t, and c EL t' are on B (for some constant c), Ti-ff) = TZ{t'), 
TZ{s) = TZ{c), s G P{t), s ^ P(t'), and s\Et is not on B; 

— t' tfit is on B, TZ{t') G TZit), TZ{s) = TZ{t'), s G P{t), and s Et zs not on B. 

Using the restricted version of the cut rule preserves completeness: 

Theorem 3. An MLSS formula (j) is valid if and only if there is a tableau proof 
for (j) using the expansion rules from Tables 1-3 with the restriction of the cut 
rule according to Def. 17, and the closure rule from Def. 15. 

4.7 A Comparison with Cantone’s Calculns 

The calculus for MLSS described in the previous sections is similar to that 
presented by Cantone in [4]. The main difference is that Cantone’s calculus is 
restricted to normalised literals, i.e., literals not containing complex set terms: 

Definition 18. A set literal (p is normalised iff it is of the form a \^b, a \f^b, 
a Ki b, aifi b, a«&Uc, a«6ric, a Ki b\c, or a Ki . . . , (n> 1), where 

a, b, c and bi, . . . ,bn are constants. 

There is a satisfiability preserving transformation of any finite set P of set 
literals into a set of normalised set literals by introducing new constants for 
complex set terms. For example, a E {bn b') is replaced by c « (& □ 6') and 
a E c where c is a new constant. The overhead for computing the transformation 
is negligible, because its complexity is polynomial in the size of the set to be 
transformed. However, the introduction of new constants leads to a much bigger 
search space, even more so as all these new constants occur in equalities. 

Our rules (R7), (R3), (R4), and (RIO) are — in combination with rules (EQl) 
and (EQ2) extensions for handling literals with complex set terms of the cor- 
responding rules in Cantone’s calculus. For example, our rule (R3), that allows 
to derive a E 6 and a E 6' from a E (& □ &'), corresponds to Cantone’s rule that 
allows to derive a E & and a E 6' from c « (& □ b') and a E c (for all a, b, c). 

There are no rules in Cantone’s calculus corresponding to our rules (R5), 
(R8), and (R9) for literals expressing negated membership. Consider the three 
literals </> = c ^ (&i U 62) \ 63, ipi = c E 61, and 1(2 = &3, whose conjunction is 

inconsistent. To close a branch containing these literals, our rules (R9) and (R5) 
are applied to split the literal </> and derive that one of -'ifi and ->'ip 2 holds, 
thus closing the two resulting sub-branches. Since no rules for splitting (p exist 
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in Cantone’s calculus, instead rules for positive membership literals have to be 
used to derive -<<j) from ipi and ip2' first, (j) has to be normalised, the result are the 
literals c ^ di, di « ^2 \ ^3> and c?2 ~ LI 62 where di abbreviates (61 U 62) \ ^3 
and (I2 abbreviates b\ U 62- Then, with two rule applications, c E ^2 and c E di 
are derived. The latter literal can be used to close the branch; it corresponds to 
the non-normalised literal 

The need (and possibility) to derive more complex terms from simpler ones 
leads to a larger search space. Our rules, that split complex terms into simpler 
ones, are more goal directed. 

5 A Tableau Calculus for MLSSF 

5.1 A Simple Extension of MLSS 

To extend the calculus described in the previous sections from MLSS to MLSSF, 
it suffices to (a) relax the restrictions on the equality rules ((EQF) and (EQ2’) 
in Table 4), and (b) add a cut rule that uses equalities as cut formulae ((Cut’) in 
Table 4). The new rules only need to be applied to functional set terms. Non- 
functional terms, even if they are not pure, can be handled by the MLSS rules. 
The result of using these additional rules is a sound and complete calculus for 
MLSSF; it is, however, not a decision procedure. 



Table 4. Additional expansion rules for MLSSF. 



s ~ t t ~ s 

(pit] 

where the occurrence of s in 0 
is inside a functional term 
(EQF) (EQ2’) 



tl ~ t2 \tl 9^ t2 

where t \ , t 2 occur on the branch 
and at least one is a functional term 
(Cut’) 



Theorem 4. An MLSSF formula (p is valid iff there is a tableau proof for (p 
using the expansion rules from Tables 1~4, and the closure rule from Def. 10. 

5.2 Using Rigid E-Unification to Restrict the Equality Cut Rule 

The additional rules for MLSSF introduced in the previous section are highly 
non-deterministic. In this section, we describe an expansion rule for MLSSF that 
is much more goal-directed and leads to a smaller search space. It is based on 
the concept of rigid E -unification. 

Definition 19. A rigid E-unification problem (E, s, t) consists of a finite set E 
of equalities and terms s and t; the equalities in E and the terms s and t may 
contain free variables (and may have variables in common). A substitution u is 
a solution to the problem iff Ea ^ (sct « ta) where the free variables in Ea are 
“held rigid”, i.e., treated as constants. 
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The problem of deciding whether a given rigid if-unification problem has a 
solution is decidable (it is NP-complete). In general, the number of solutions is 
infinite. An overview of methods for rigid A-unification can be found in [1]. 

The basic idea is to use rigid A-unification for handling the functional part of 
formulae on a branch and to use the tableau rules for handling the non-functional 
(i.e. set theoretic) part. The additional tableau rule we describe in the following 
forms the connecting link between the two parts. 

Consider, for example, a branch B containing the two literals /(a) « b and 
g{f{ar\{bUa))) ^g{b). They are inconsistent, because an(&Ua) = a and, thus, 
g{f{ar\{bUa))) = g{f{a)) = g{b); this implies g{b) G g{b), which is a membership 
cycle. To close the branch, one first has to find out what the important set 
theoretic identities are that have to be proven^, in this case a fl (6 U a) = a. It is 
impossible to do this using only heuristics; here, for example, it is futile to try 
to show that a fl (6 U a) = b. 

The question of which set theoretic identities have to be proven to close the 
branch is transformed into rigid A-unification problems as follows: for each pair 
s, t of terms that, if they were identical would allow to close the branch (e.g. if 
s ^ t is on B), one rigid A-unification problem is generated. In s and t all maxi- 
mal non-functional sub-terms are replaced by (new) variables; the resulting terms 

and and the equalities on the branch form a rigid A-unification problem. 
Each solution to the problem corresponds to identities between non-functional 
sub-terms that, when proven, allow to close the branch. The corresponding ine- 
qualities are (disjunctively connected) added to the branch. 

Definition 20. Given a set L of set literals, the set is constructed by repla- 
cing all non-functional (sub-)terms t in L by a new variable Xt- Let the substitu- 
tion tl be defined by: T{xt) = t for all terms t in L that have been replaced (i.e., 
tl is the inverse of the transformation that turns L into : t{L^) = L). 

Example 2 . li L = {(a □ c) U 6 « c, /(c) E g{a □ c, f{d \ e))}, then the result of 
the transformation is = {xi « X2, f{x2) E g{x^, /(X4))}. 

Definition 21. The rigid E-unification expansion rule (EU) is defined as fol- 
lows: Let B be a branch in a tableau for an MLSSF formula, and let Lb be 
the set of all literals on B of the form ti « t2, t\ E t2, or t\ ^ ^2- Let 
Eg be the set of all equalities in Lg. Further let g = {xi ri, . . . ^ r„} 

(n > 1 ) be a solution to ( 1 ) a rigid E -unification problem {Eg, (si,ti), (s2,t2)) 
such that Si Efi and S2 ^^2 are in Lg or ( 2 ) a rigid E -unification problem 
{Eg, {tl, . . . , tn), {t'l, . . . , t'„)) such that literals ti E£t'2, . . . , t„-i E t'„, and tn E t'l 
in Lg form a potential membership cycle. Then B may be extended by n new 
linear subtrees where the nodes of the new subtrees are labelled with the literals 
TLiiixi) ^TLsiri), ..., TL^{Xn) ^TLs{rn)- 

Example 3 . We continue the example from the beginning of this section and 
apply the rule (EU) to show that a branch containing the literals /(a) « b and 

® An identity is proven by using it as a cut formula; after the branch that contains its 

negation has been closed, it is available on the remaining open branch. 
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g{f{ar\ ( 6 Ua))) E g{b) is inconsistent. The only rigid i?-unification problem that 
can be extracted from these literals is {{f{xa) ~ Xb} , g{f {xan(bua))) , 9{xb)) ■ Its 
simplest solution is the substitution {Xa <— a;an( 6 ua)}- Thus, the rule (EU) allows 
to add a 9 ^ a n (6 U a) to the branch. The complete proof is shown in Fig. 1. 



/(a) « b 

g{f{an{bUa))) Bg{b) 

I 

a 56 a n (6 U a) 



c E a 

c ^ a n (6 U a) 



/ 

c ^ a 
* 



c^b 

c^a 

* 



c ^ a 

c E a n (b U a) 

I 

c E a 
c E 6 U a 
* 



Fig. 1. A tableau proof using the rule (EU) (Example 3). 



It is not necessary to consider rigid E-unification problems constructed from 
inequalities s ^ t because, when rule (Rll) has been applied, contains literals 
Xc E s, cCc ^ t or Xc 1^ s, Xc E t. 

The (EU) expansion rule partly overlaps with other expansion rules. It al- 
lows, for example, to derive si 76 S 2 from si E t and S 2 if si and S 2 are 
non-functional set terms. This is also possible applying the rule (Rll). 

Theorem 5. An MLSSF formula </> is valid if and only if there is a tableau proof 
for (f using the expansion rules from Tables 1~4, the rule (EU) (Def. 21), and 
the closure rule from Def. 1 0. 

The rule (EU) is sound and helps to reduce the search space; we conjec- 
ture that completeness is preserved if the rules (EQl’), (EQ2’), and (Cut’) are 
replaced by (EU), but have not proven this yet. 

6 An Example 

As an example, we proof that the MLSSF formula 

(p = [x E [(/(x) \ /(x U (y n x))) U 2 : U w] A wUyEx] — >■ xEz 

is valid; it contains the free function symbol /. Intuitively, the reason for the 
validity of (p is the following: We assume that x is an element of (at least) one of 
the three sets u = f{x) \ f{x U (j/ fl x)), z, and w, and that ic U j/ is an element 
of X. Now, the set u cannot contain x, because x = (x U (y fl x)) and therefore 
u is empty for all interpretations of /; the set w cannot contain x, otherwise 
there would be a membership cycle x G (w A y) € x. Therefore, 2 : contains x. 
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Figure 2 shows a tableau proof for (f>. Its root is labelled with the Skolemi- 
sation -i [a E [(/(a) \ /(a U (6 □ a))) UdUe] A eU6Ea] — >■ oEdof -k/>. The 
i-th formula in the tableau is labelled with [i;j;R], which indicates that it has 
been derived from the j-th formula applying the expansion rule R. 

Formula 9 is derived from formulae 7 and 8 applying the if-unification rule. 
A solution to the A-unification problem (0, (xa, Xa), {f{xa), /(a^au(bna))))) which 
is constructed from 7 and 8, is the substitution {xa a;ou(6na)}- Accordingly, 
the inequality a 9^ a U (& □ a) is added to the branch. 

The branch ending in formula 21 is closed by the membership cycle e U 6 E a 
and a E e U 5 (formulae 2 and 21). All other branches are closed by complemen- 
tary literals; their leaves are labelled with the numbers of the closing literals. 

If the closure rule that uses the sets of implicit predecessors to detect implicit 
membership cycles is used (Def. 15), the cut rule application that generates 
formulae 22 and 23 is not needed. Instead, the branch ending in the literal 21 is 
already closed; it contains an implicit cycle because a E e implies a E e U & (this 
cycle is made explicit by the cut rule application). 

Implicit cycles can be detected by calculating the predecessor relation for the 
branch. The set of possible predecessors for the branch ending in formula 21 is 
{o, b, d, e, f{a),f{a U (6 □ a)), (e U 6)}. The predecessor sets of the constants are 
P{a) = {e U b}, P{b) = 0 , P{d) = 0 , and P{e) = {a}. The predecessor set of e U 6 
is P{e U 6) = P(e) U P{b) = {a}. Thus, we have a G P{e U b) and eUb G P{a), 
which indicates the presence of an implicit membership cycle. 



[oj-;init] -I ^ l^a E [/(a) \ f{a U (&□«))] UdUe A eU&Eaj ^aEd^ 

I 

[i; 0 ;c] a E [(/(a) \ /(a U (6 n a))) U d U e] A e U fe E a 
[ 2 ; 0 io] a 

[3;ijc] a E [(/(a) \ f{a U (6 fl a))) U d U e] 

[4;l;o] e U & E a 



[6;3jR7] a E d U e 
*[ 10 , 2 ] 

2 ;-;Cut] a E e U 6 



[5;3;R7] E / (o) \ /(o U (fe fl o) ) 

[7;5;R4] aE/(a) ^ ' 

[8;5;R4] a^/(aU(fena)) 

[9;(7,8);EU] ^aU(fena) *[Cycle] ” 23!^]“ f | e 

[10j9;R12] Cl Ea [12j9;R12] Cl ^ O [25;23;R5] 0^6 

[iij9;Ri2] Cl ^ a U (6 n a) [i3j9;Ri2] Cl E o U (& fl o) *[24,21] 

[14;ll;R51 Cl ^ = “ [17 ; 13;R7] "^E 6 E 

[1S;11;R5] Cl ^ 6 H *[16,12] | 

*[14^10] [18;17;R3] Cl E 6 

[19;17;R3] Cl E fl 

*[19,12] 



Fig. 2. Tableau proof for the formula (j> from Sect. 6. 
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7 Conclusion 

We have presented an improved tableau calculus for the fragment MLSS of set 
theory that extends the calculus described in [4]. Our tableau expansion rules 
are more goal-directed; this leads to a smaller search space, which is important 
for the efficiency of an implementation. Our calculus is a sound and complete 
decision procedure for MLSS. In addition, we have described a version of the 
calculus for the larger fragment MLSSF (MLSS with free function symbols); and 
we have shown how to use a special tableau rule based on rigid E-unification to 
reduce the search space in the case of MLSSF. 

Future work includes, besides an implementation and practical evaluation of 
our calculus, its extension to larger (and undecidable) fragments that (a) contain 
additional set theoretic operators such as, for example, the power set operator, 
and that (b) allow existential quantification of variables. 

Acknowledgement. We thank Domenico Cantone, Sebastiano Battiato, and 
three anonymous referees for useful comments on an earlier version of this paper. 
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Abstract. This paper introduces a tableau method for propositional 
interval temporal logic (ITL) [14]. Beyond the usual operators of linear 
temporal logic, ITL contains sequencing and iterative operators, and 
proj akin to programming combinators. Central to our approach is a 
normal form for the formulas of ITL, particularly and proj , in terms 
of the ‘O’ operator of the logic. 



1 Introduction 

Interval Temporal Logic (ITL) is an important class of temporal logic. Early work 
on the topic was performed by Moszkowski [14] with a number of researchers 
progressing the topic since then, e.g. Hale [9], Kono [10], Duan [7], Cau et. al. 
[6], Bowman et. al. [3] and Thompson [17]. 

Standard temporal logics are defined over infinite state models, for example, 
the models LTL, the linear time temporal logic developed by Manna and Pnueli 
[12] are infinite state sequences. However, in interval temporal logic the model 
theory is restricted to finite state sequences, called intervals, though it is possible 
to extend the interpretatin to infinite sequences, and thus to see ITL as an 
extension of LTL. 

There are a number of reasons for being interested in such logics. One reason 
is that interval temporal logic lends itself to execution. This is apparent from 
Moszkowski’s work [14]. In addition, a number of interesting and powerful oper- 
ators arise naturally from ITL. In fact, it is straightforward to derive operators 
very like the constructs of imperative programming (e.g. assignment, condition- 
als, iteration etc) . This then yields the possibility that abstract specifications and 
concrete implementations can be realised in the same notation, with refinement 
mappings between. This we have used in our work in the field of multimedia 
document description, [3]. 

An additional aspect of interval temporal logic is that it provides a very 
simple real-time model in which one unit of time is past when moving from state 
to state. Consequently, timings can be obtained by measuring interval lengths. 
The ITL operator len(n) is used for this purpose. This operator is satisfied by 
any interval with n-l- 1 states (transitions between states are counted rather than 
numbers of states). 
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Two operators which are characteristic of interval temporal logic are the Chop 
operator ; and the projection operator proj . The former of these implements a 
form of sequential composition; an interval will satisfy P ; Q if it can be divided 
into two contiguous sub-intervals such that P holds over the first sub-interval 
and Q holds over the second. The operator is illustrated in figure 1, where line 
segments depict intervals. 



P;Q 



P proj Q 



P Q 



P P P P 



Q 



Fig. 1. Chop and Projection 



In contrast, the projection operator yields repetitive behaviour; an interval 
satishes P proj Q if it can be sub-divided into a series of sub-intervals, each 
of which satisfies P - we call P the projection formula - and the new interval 
formed from the end points of these sub-intervals satisfies Q, which we call the 
projected formula. The operator is illustrated in hgure 1, notice the interval that 
Q holds over is not depicted as a line segment, rather it is the concatenation of 
the depicted sequence of points (each of which represents a state). 

The value of the Chop operator should be self evident, however, the motiva- 
tion behind projection will perhaps be clarified by some examples. An important 
use of projection is in deriving iteration constructs. For example, for loops and 
while loops can be derived using projection. The for loop is defined as: 

for n times do P = P proj len(n) 

Notice how len(n) is used to count the number of iterations, by counting 
endpoints of sub-intervals. In contrast, the while loop is defined as: 

while P do Q = (PA Q)* A □(len(O) ^ ~^P) 

□ is the ITL operator henceforth, OP holds over an interval in which P 
holds over all suffixes of the interval, and R* gives arbitrary repetition of R; it 
is defined as: 



R* = R proj True 

In the while loop P will typically be a point formula, that is a formula whose 
interpretation depends only on the first point of an interpreting interval, rather 
than the whole interval. For example, an atomic proposition, p say, when lifted 
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to the interval level, will hold over any interval in which p is true at the first 
state of the interval. Point formula are called local formula in some work [10]. 

It should also be pointed out that projection has proved a valuable operator 
in the real-time setting where it can be used to realise temporal abstraction [13] 
and hence, for example, it can describe speeding up or slowing down real-time 
presentations [3]. 

Tableau Methods have been extensively investigated in the standard (infinite) 
temporal logic setting, e.g. [11]. In addition, there has been some tableau work 
in the interval temporal logic setting, e.g. Kono [10], but this work is far less 
mature than that found in the (infinite) temporal logic setting. The reason for 
this disparity is that ITL operators are in many senses more difficult to deal with. 
For example, inductive definitions of the until operator of standard temporal 
logic are straightforward, e.g. 

PUQ = Q\/ {PA 0{PUQ)) 

In contrast, inductive definitions of chop and projection are inherently more 
complex. In particular, with chop an inductive definition must cope with its first 
argument evolving when the operator is unfolded. This issue will become clear 
when we present our normal forms for chop. 

Research work that is closest to ours is that by Rosner and Pnueli [16]. The 
logic considered in their work is a version of standard (infinite) temporal logic 
which includes the chop operator and they do give a tableau algorithm. However, 
although this work gives a number of relevant insights it is rather complex and 
does not handle the projection operator. 

In this paper we do present a complete tableau method for interval temporal 
logic and we include the projection operator. Central to our strategy is the 
identification of normal forms for all the operators of our logic. In effect, these 
normal forms give inductive definitions of the ITL operators. Then, in the style 
of Wolper [18], we define a tableau decision procedure to check satisfiability of 
our logic. 

Structure of the Paper. Section 2 presents background on interval temporal 
logic while section 3 presents our normal form. Finally, section 4 describes our 
tableau algorithm. 

Acknowledgement. We would like to acknowledge the support - in the form 
of travel assistance - given to us by the British Council. 

2 Interval Temporal Logic 

The interval temporal logic that we use is defined in the following subsections. In 
the context of this paper we will call this logic PITL, for Propositional Interval 
Temporal Logic. 

We begin by defining intervals, which will give the semantic models for our 
logic. 
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2.1 Intervals 

PITL is defined over finite state sequences. Each sequence is called an interval 
and X denotes the set of all possible intervals; cr G J has the form: ao, ci, cr\a\ , 
where |cr| denotes the length of an interval and ai denotes the ith state in an 
interval. By convention the length of an interval is the number of states minus 
one and all intervals must have at least one state. We use [ct]* to denote the ith 
prefix of an interval and (cr)* to denote the fth suffix of an interval; formally, 
[cr]* = and (cr)* = di, ..., cr|cr| . Each state is a set containing all the 

atomic propositions that are true at that state. 



2.2 The Logic 

The set of formulas of propositional logic is denoted V and P gV is constructed 
as follows, where n € A/”: 



P ::= p I False | ^P | P V P | OP | empty | P ; P | P proj P 

Much of this logic will be well known to a reader familiar with interval temporal 
logic. 

— False, ^ and V are the familiar connectives of classical propositional logic. 
A full set of logical operators can be derived in the usual way. 

— p is chosen from a set of atomic propositions. 

— O is the (strong) next operator. Thus, OP holds if and only if P holds over 
an interval of length one less than the current interval, resulting from moving 
one state into the future. In particular, OP is False on an empty interval. 

— empty holds over any interval of length zero, i.e. which has one state. 

— ; and proj are as described in the introduction. 

The reader who requires a more detailed discussion of these operators is referred 
to [14] and also [3] where we also argue that the proj operator is not dehnable 
from the other operations. 

Also, we have the following standard derived operators. A wealth of other 
operators can be defined, see for example [4]. 

©P = op V empty , OP = True ; P , DP = -lO^P 
len(O) = empty and len(n+l) = Olen(n). 

Thus, in addition, to the standard logical derivations, we have an operator 
to measure the length of an interval, len; a weak next operator, ©; eventually, 
O, and henceforth, □. 
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a 1= empty iff \a\ = 0 



a 1= OP iff (cr)^ 1= P 

a \= Pi; P2 iff 3k £ J\f {k < \ct\ and [u]^ ^ Pi and (cr)*^ ^ P2) 



(7 1= Pi proj P 2 iff 3m G A/” and 3 to, Ti, Tm G A/” 
(0 = To < n < ... <Tm = \(j\ and 
Vj < m ([< 7 ]’'^+^)’'^ 1= Pi and 

<7tq T'ti . . . (7Tm 1= p2 ) 



Fig. 2. Satisfaction for PITL 



Interpreting PITL Our satisfaction relation, interprets PITL formulae over 
intervals. The notation cr |= P denotes that the interval a satisfies (or models) 
the formula P. 

We interpret PITL propositions in the usual way, by induction over the struc- 
ture of propositions. The satisfaction relation for the main operators is shown 
in figure 2; others which are standard can be found in [5]. In particular, chop 
subdivides the given interval into two sub-intervals the first of which satisfies 
Pi and the second of which satisfies P 2 . The two sub-intervals arising from chop 
have one common state, the fcth state in the above definition. Thus, the last 
state of the sub-interval over which Pi holds is the first state of the sub-interval 
over which P 2 holds. 

The semantics of projection also require some explanation. The definition 
states that for an interval to satisfy Pi proj P 2 there must exist a sequence 
of m increasing points (or states) in the interval, tq, ti, ..., such that the 
first and last points bound the interval. (It is common only to constrain this 
sequence to be non-decreasing, e.g. [14], however, this generates a number of 
pathological cases that we manage to avoid in our definition.) This sequence of 
points effectively divides the interval into a series of m sub-intervals, each of 
which comprises the states between t, and Tj+i. We require that Pi holds over 
each of these sub- intervals and, in addition, that P 2 holds when , ..., cr,-^ 

is viewed as an interval. 



Satisfaction and Validity. We define that an interval a satisfies a proposition 
P if and only if cr |= P. In addition, in the usual way, we state that P is valid if 
and only if for all ct in X, ct |= P. If P is valid we write \= P. 
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3 Normal Forms in Interval Temporal Logic 

3.1 A Normal Form for PITL 

The use of normal forms in temporal logic is now relatively common, e.g. [1], 
[8]. Furthermore, a number of authors have proposed normal forms for interval 
temporal logic, e.g. [14], [10], [7]. 

Our normal form is based on that of previous workers; it has the general 
format: 



(empty A Pe) V y(Pi A OP') 

where Pe and Pi are point formulas and P/ is a general PITL formula. The 
left disjunct characterises under what circumstances a formula can be satisfied 
over an empty interval, while the second disjunct characterises the possible ways 
in which a formula can be satished over an interval of length greater than zero, 
i.e. a point property must hold at the initial state and then an arbitrary property 
must hold over the remainder of the interval. 

You should also note that this normal form embodies a recipe for evaluating 
PITL formula. The first disjunct embodies a base case, i.e. what must hold of a 
one state interval, while the second disjunct embodies an inductive step, i.e. one 
of the Pi’s must hold now and the associated P^ must hold from the next state 
onwards. 

We claim that any arbitrary PITL formula can be mapped into this normal 
form. The next subsection illustrates this claim and the validity of the mapping 
is proved in [5], for space reasons we have had to exclude this proof from this 
paper. 



3.2 Inductive Definition of the Normal Form 

We proceed through PITL highlighting how each construct of the logic can be 
expressed in our normal form. We thereby give an inductive definition of the 
normal form. So, assume Q is an arbitrary formula of PITL and assume that Pi , 
P 2 and P are already in normal form, as follows: 

Pi = (empty A Pe,i) V \{Pi,i A OP'-^^) 

P 2 = (empty A Pe, 2 ) V ^.{Pj ,2 A OP'.^^) 

P = (empty A Pe) V \{Pi A OP-') 

Non-temporal Operators Apart from negation, which will be discussed in the 
next subsection, all the non-temporal operators can be mapped into the normal 
form in a relatively straightforward fashion. Full details can be found in [5], but 
by way of illustration, disjunction is handled as follows: 

Q = Pi V P 2 = (empty A (Pe,i V Pe^)) V Y(Pi,i A OP'^ -^) V ^.{Pj ,2 A OP'^^) 
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Partitioned normal forms Before we cover the normal form for negations of 
propositions, we take a detour into elementary propositional calculus. We say 
that a collection of formulas {Pi)i partitions True when 

— y Pi = True - the partition is exhaustive; and 

— y^JyPi A Pj) = False - the partition is exclusive. 

It is an exercise to show that in the case that {Pi)i partitions True then, 

-Y(p, A g,) = Y(p* A -Q,) 

We call a normal form 



(empty A Pe) V Y(-Pi A OP') 

partitioned when {Pi)i partitions True. 

We can turn an arbitrary normal form into partitioned form - the details of 
this procedure can be found in [5]. Some logical operations (including conjunc- 
tion and projection) preserve the property of being partitioned; others, notably 
disjunction and chop, do not. Using the technique outlined in this section we 
can put normal forms into partitioned form should that be necessary for what 
follows. 



Negatiou Using the material in the previous section, if P is in partitioned 
normal form then 

g = ^P = (empty A ~^Pe) V Y(^i A O^P') 

Any normal form can be transformed into partitioned normal form, and so can 
be negated by this method. 



Temporal Operators Empty. If Q is empty then, 

g = empty = (empty A True) V (False A OTrue) 

Thus, empty holds over any arbitrary “one state” interval, but fails to hold 
over any “larger” interval. 

Next. If g is op then, 

g = OP = (empty A False) V (True A OP) 

Thus, op cannot hold over an empty interval (this is because it is a strong 
next), while it puts no constraints on the first state of a non-empty interval and 
requires that P holds over the remainder of the interval. 



Chop. If g is Pi ; P 2 then. 
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Q = Pi ; P2 = (empty A (Pe,i A Pe,2)) V 
Y(P,,1 A ; P2)) V 

V((Pe.l A P,,2) A OP'2) 

The normal form embodies three cases. 

— The first disjunct gives the condition under which the chop formula holds 
over an empty interval, namely when the two constituent formulas hold over 
the empty interval; 

— the second disjunct is the condition in which Pi holds over a non-empty 
interval, and P2 holds over the remainder; and, 

— the third disjunct embodies the case where Pi holds over an empty interval 
and P2 holds over the entire (non-empty) interval. 

The negation of chop is given by transforming the normal form given here 
into the partitioned normal form, as explained above. 

Projection. If Q is (Pi proj P2) then. 



Q = Pi proj P2 = (empty A Pe,2) V 

YY((P,,1 A P,, 2) A 0 {Pli ; Pi proj P;^^)) 

The normal form embodies two cases. 

— The first disjunct gives the condition under which the projection holds over 
an empty interval, namely when P2 holds over the interval. 

— The other disjunct gives the condition where (Pi proj P2) holds over a 
non-empty interval. A choice of initial-state conditions of Pi and P2, such 
as Pi^i and Pj,2, must hold at the first state; over the remaining part of the 
interval a chop has to hold. First the remainder of the Pi condition - P/i - 
must hold, then the derivative of the projection - (Pi proj Pj 2) - must be 
valid. This is illustrated in Figure 3 

Note that if Pi and P2 are in partitioned normal form then this normal form 
will also be partitioned. 



3.3 Example 

Assume that the formula P is in normal form and consider the derived formula 
eventually P, OP. The standard derivation of eventually is from chop, 

OP = True ; P 

Now, using the normal form rule for chop, OP can be placed in normal form 
as follows: 
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Fig. 3. The Normal Form for Projection 



OP = (empty A Pg) 

V (True A 0(True ; P)) 

vy(Pi A OPI) 

Notice that using associativity and symmetry of disjunction and True as 
unit of conjunction we can reduce this to: 



OP = P V OOP 

which is a more common “inductive” interpretation of O. 

4 The Tableau Method 

In this section we present a tableau decision procedure for checking the satis- 
fiability of PITL formulae. The decision procedure is influenced by the tableau 
procedures developed for standard temporal logic, e.g. [2] [15] and [18]. Our work 
particularly builds from the tableau method defined by P. Wolper [18]. 

The tableau decision algorithm is a graph construction (and then reduction) 
algorithm. Nodes of the graph are sets of PITL formula; these are said to label 
the node. Edges in the graph represent steps to satisfaction of the formulas of a 
node. 

These steps are made according to a set of tableau (decomposition) rules. 
Branches in the tableau reflect disjunctive choices. 

An important element of the tableau rules is that they subdivide the require- 
ments imposed by temporal formulas into requirements on the present (i.e. the 
first state of an interval) and requirements on the remainder of the interval, the 
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latter being embodied in a formula of the form OP. This is in fact exactly the 
subdivision in our normal form rules. Accordingly our normal forms will play a 
central role in these tableau rules. 

A set of graph construction rules build the graph using the tableau rules. 
In particular, the graph construction rules generate time passing steps in the 
tableau that unravel next formulas. 

The final stage of the tableau algorithm is a graph reduction algorithm which 
systematically removes unsatisfiable nodes in the graph. A formula can then be 
deduced to be satisfiable if it appears in the reduced graph. 

We will work through the different stages of the tableau algoorithm in turn, 
but first some notation. 

Notation. The following notation is related to that used in [18]. 

— The formula being evaluated is called the initial formula. 

— The labelling of node n is denoted Tn. 

— A formula P is called elementary if 

1 . it is an atomic proposition or the negation of an atomic proposition; 

2 . it is empty or ^empty; or 

3. it has O as the main connective. 

— A node containing only elementary formulae is called a state. 

— A pre-state is a node that is either initial or the immediate son of a state. 

Tableau Rules. The tableau rules (also called decomposition rules) drive the 
reduction of formulae into their components. They map a formula into a set of 
sets of formulas, i.e. they have the form: 

P^{5i,52,...,^„} 

where Si is a set of PITL formulas. The interpretation that such rules embody 
is that P can be satisfied if there exists a j (1 < 7 < n) such that all formulas 
in Sj can together be satisfied. 

Our hrst set of rules are standard and are unchanged from those in [18]: 

--P P }} 

Pi A P2 {{ Pi , P2 }} 

-(Pi A P 2 )^{{^Pl},{^P 2 }} 

Pi V P2 {{ Pi }, { P2 }} 

-(Pi V P2) — > {{ -Pi , -P2 }} 

We also need the following rule which enables the next operator to be moved 
to the top level through negation. Notice that since we are using a strong next 
operator, OP will fail over any empty interval. 



OP — > {{ empty }, { O^P }} 
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The remaining rules are direct extrapolations from our normal form rules. 
They all assume that Pi and P2 are in the normal forms we highlighted earlier. 
The next two rules decompose chop and projection: 



Pi-, P2 — > {{ (empty A (Pe,i A Pe,2)) V 
Y(P.,i A 0 {Pli ; P2)) V 
V((Pe,l A P,,2) A OP'2) }} 

Pi proj P2 — > {{ (empty A Pe,2) V 

YY((P,,i A P,- 2 ) A 0 {Pl, ; Pi proj P;^,)) }} 

^(Pi ; P2) and ^(Pi proj P2) can be obtained by the negation of normal 
forms previously highlighted. In fact, negation of all the operators could be 
obtained from negation of the normal forms, but in the case of the propositional 
operators and strong next it is more straightforward to handle negation outside 
the normal form expansion. 

The following two rules encapsulate the required normal form negation. Both 
rules assume that (Pi,i)i and (Pz,2)i are in partition form. 



^(Pi ; P2) — > {{ (empty A (^Pe,i V ^Pe,2)) V 

Y((-Pe.i A P,,i) A 0 ^{Pl, ; P2)) V 

YY((Pe,i A P.,1 A P,-2) A 0 (^P '2 A -(/>(i ; P2))) }} 

^(Pi proj P2) — > {{ (empty A ^Pe,2) V 

YY((P.,i A P,-2) A O^iPl, ; Pi proj P;,^)) }} 

We have the following lemma. 

Lemma 1. All the decomposition rules preserve satisfaction. Thus, for a rule 
of the form, 



P 






the following holds: 

a^P tff dj-.uhA Sj where A{Pl.:..Pn} = Pl A ... A P„ 

Proof 

The propositional rules and the rule for -lOP are straightforward. The rules for 
;, proj , ; and ^ proj follow from validity of the normal forms. 

The Graph Construction. The tableau graph is constructed using the follow- 
ing rules: 
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1. Where P is the formula to test, label the initial node with { P , True ; empty } 
and apply steps (2) and (3) repeatedly until neither can be applied to any 
node in the graph. 

Note that when we create a son node in rules (2) and (3) with labelling T, we 
only add a new node if a node labelled T does not already exist, otherwise 
we add an edge back to the original node. 

2. If a node n contains a non-elementary formula P and the tableau rule for P 
is P — > {Si}, then, for all i create a son of n labelled: (T„ — {P}) U Si. 

3. If a node n contains only: elementary formulas and does not contain empty, 
then create a son of n labelled by the next formulas of T„ with outermost 
nexts removed. 

We call rule 2 the decomposition rule and rule 3 is called the step rule. 

So, we start with the formula under test and we add Oempty to the initial 
node. This is needed in order to enforce the requirement that a successful path 
through the tableau terminates. This termination arises through the final node 
in the path containing empty. Another way of looking at this is that it ensures 
that a marker for termination of a path is included in every state (note Oempty 
is either satisfied immediately and a path is terminated or it is preserved in the 
next state, i.e. Oempty arises in all descendent states, lemma 2 encapsulates 
this fact). 

Graph Reduction. The next stage in the tableau algorithm is to eliminate 
unsatisfiable nodes by repeatedly applying the following rules: 

— (El) Eliminate nodes containing formula P and ^P. 

— (E2) If a node has no successors and does not contain empty, eliminate it. 

— (E3) If a node contains empty and OP, eliminate it. 

— (E4) If a pre-state contains an unaccepted formula of the form Pi ; P 2 , 
^(Pi ; P 2 ), Pi proj P 2 or ^(Pi proj P 2 ) then eliminate the pre-state. 

This procedure terminates when all unsatisfiable nodes have been eliminated. 
The first three of these rules embody straightforward cases of an unsatisfiable 
node. The fourth rule hinges on the notion of a chop or projection formula 
failing to be accepted. The following rule defines what it means for a formula to 
be accepted. 

— (F) A formula P is accepted in a pre-state if there is a path in the tableau 
leading from that pre-state to a node containing empty. 

We claim that the initial formula is satisfiable if we can generate a tableau 
according to the graph construction rules, reduce it according to rules (El) - 
(E4) and the initial formula is not eliminated. 

Discussion. The tableau algorithm that we present here is simpler in a number 
of respects than that defined in [18]. For example, a central concept in Wolper’s 
work is that of a fulfilling path. For any temporal formula, other than O, to 
be satisfied a path which witnesses the satisfaction of the formula must exist. 
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Our accepting paths play a similar role. However, many of the complexities 
associated with fulfilling paths do not arise with accepting paths since we are 
searching for finite models/satisfying paths and thus, we can use empty as a 
marker for successful completion of such a satisfying model. In addition, Wolper 
includes a marking mechanism, whereby formulas are marked when they are 
being considered for fulfillment. This means that formulas that have been fulfilled 
are carried through the tableau. In contrast, we simply discard formulas once we 
unfold them with the decomposition rule. This simpler approach is also justihed 
on the grounds that we are working with finite models. 

Example. The tableau expansion for (len(l) ; Oq) A len(l) is shown in figure 
4. In order to simplify the presentation the decomposition arrows shown reflect 
multiple applications of the decomposition rules. These multiple applications 
will simplify the normal form expansions, yielding the following relationships: 



Oempty ; Oq = 0(empty ; Oq) 

True ; empty = empty V 0(True ; empty) 
empty ; Oq = Oq 



1 : { 0 empty ; 0 q , 0 empty , true ; empty } 



2: { 0(empty ; Oq) , Oempty , empty } 



3: { 0(empty ; Oq) , Oempty , 0(true ; empty) } 



I 

I 

I 

¥ 

4: { empty ; Oq , empty , true ; emtpy } 



5: { 0 q , empty , empty } 



6: { 0 q , empty , 0(true ; empty) } 



Fig. 4. Tableau expansion of len(l) ; Oq A len(f) 



It turns out that all the “terminal” nodes here, i.e. those containing empty, 
will be eliminated because they contain unsatisfied next state formulae. The 
elimination of all leaf nodes will cause all new leaf nodes (which neither contain 
empty or have any successors) to be eliminated which in turn will have a knock 
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on effect on the new set of leaf nodes and so on, until the initial node has been 
eliminated. Thus, showing that the formula, 

(len(l) ; Oq) A len(l) 

is unsatisfiable. 

5 Correctness of the Tableau 

This section investigates correctness of the tableau algorithm. First we need a 
small lemma which clarifies how the Oempty behaves in the initial formula. We 
give sketches of the proofs in this section; full proofs can be found in [5] . 

Lemma 2. All states in the tableau contain either empty or 0(True ; empty). 
Proof sketch: 

We proceed by induction over the structure of the graph, noting that the normal 
form for True ; empty is 

True ; empty = (empty A True) V 

(True A 0(True ; empty)) 

and that the rules of the tableau expand the formula according to its normal 
form. □ 

The following theorem shows that our tableau algorithm does indeed check sat- 
isfiability. 

Theorem 1. P is satisfiable if and only if the initial node of the graph generated 
by the tableau method just presented is not eliminated. 

Proof sketch: 

(=>) For this we prove the contrapositive: 

The initial node is eliminated implies that P is unsatisfiable. 

First we prove the general result that a node, n say, labelled {Pi, ..,Pm} is 
eliminated implies Pi A P 2 A ... A Pm is unsatisfiable. We prove this by induction 
on the structure of the graph. Thus, we assume the result for all successors of 
node n. We consider in turn the possible reasons for node n being eliminated; 
cases (El) and (E3) are the base cases; (E2) and (E4) give the induction steps. 
The cases (E1)-(E3) are standard. 

In the case of (E4), it is sufficient to show that if there is a model a for a 
formula P then there is an accepting path for P. The proof is by induction over 
the length of a and with reference to the normal forms of the formulas involved. 

This completes our proof that a node n is eliminated implies that the conjunc- 
tion of its constituent formulas is unsatisfiable. The required property concerning 
the initial node is a special case of this result. 

(■A=) We need to verify the property: 
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The initial node of the graph is not eliminated implies P is satisfiable 

First note that if the initial node of the graph is not eliminated then an 
accepting path for P must exist in the (reduced) tableau. Our strategy will be 
to derive a model for P from this accepting path. 

Assume P has an accepting path. Now from that path extract the subaccept- 
ing path which contains just the states in the accepting path, i.e. all pre-states 
and intermediate states are removed. Note that an accepting path must contain 
at least one state since the terminating node of the path will be a state. This 
is because if the terminating node contains a non-elementary formula then the 
node would be eliminated by rule (E4) since an accepting path for the formula 
would not exist. We will argue by induction on the size of this subaccepting path 
that an interval a exists. In fact, the induction states that a corresponds exactly 
to this subaccepting path. 

Thic completes the second half of the proof and thus the proof of the result 
itself. □ 
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Abstract. In this work a tableau calculus is proposed, that checks 
whether a finite set of formulae in propositional linear temporal logic 
(LTL) has a finite model whose cardinality is bounded by a constant 
given in input, and constructs such a model, if any. From a theoretical 
standpoint, the method can also be used to check finite satisfiability tout 
court. The following properties of the proposed calculus are proved: ter- 
mination, soundness and completeness w.r.t. finite model construction. 
The motivation behind this work is the design of a logical language to 
model planning problems and an associated calculus for plan construc- 
tion, integrating the declarativity, expressiveness and flexibility typical 
of the logical languages with the capability of embedding search-based 
techniques well established in the planning community. 



1 Introduction 

This work investigates the issue of the construction of finite models of a given 
set of linear temporal formulae and, in particular, its application to model and 
solve planning problems. 

In [12] the view of a planning activity is proposed, as the search for a fi- 
nite model of the specification of the planning problem. In such a perspective, 
planning amounts to prove that preconditions A goals has a finite model and 
such a model represents, in fact, a plan achieving the desired goals. Except for 
this and few other proposals, the logical approach to planning is usually based 
on deduction, and plan generation is carried out by constructively proving plan 
specification formulae, having the form preconditions — >■ goals. Within this ap- 
proach, different logics have been used: classical logic [16], linear logic [14,15], 
temporal logics [21,13]. Works using modal temporal logics rely on the branching 
model of time of interval-based temporal logics. 

* This work has been partially supported by MURST, ASI (Agenzia Spaziale Italiana) 
and CNR (SCIxSIA Project). 

H. de Swart (Ed.): TABLEAUX’98, LNAI 1397, pp. 124-140, 1998. 

© Springer- Verlag Berlin Heidelberg 1998 




Bounded Model Search in Linear Temporal Logic 



125 



The other main approach to planning, deriving from classical STRIPS, is ba- 
sed on ad hoc, more or less powerful formalisms, and solves planning problems 
by means of search based techniques (see, for example, [8,19]). Some of the plan- 
ning languages in this category have a definitely unclear semantics. The problem 
specification sometimes codes procedural information, used to guide the search, 
that leads the planner to prune part of the potential search space, thus gaining 
in efficiency but risking to lose completeness. Other planning formalisms have 
been given a clean semantics, but they generally have a limited expressive po- 
wer, corresponding to significant restrictions of first order logic. The problem of 
designing more expressive and easy-to-use planning languages, with a clear and 
natural semantics, is felt as an important one in the planning community. On 
the other hand, the use of specialized algorithms and techniques, such as partial 
order, regression planning, least commitment (see Section 4), as well as control 
strategies to guide the search, may overperform the use of general theorem pro- 
vers as tools for plan construction. In fact, in many planning problems, methods 
based on regression and plan space search lead to a significant reduction of the 
search space. 

The motivation of this work is to lay the grounds for the design of a logical 
language and an associated calculus for plan construction having, on one side, 
the declarativity, expressiveness and flexibility typical of the logical approach, 
together with a clean semantics based on a natural model of time and action, 
and, on the other, the capability of embedding search-based techniques, typically 
partial order, regression and least commitment. Viewing a plan as a finite model 
of the problem specification, this work proposes the use of linear temporal logic 
(LTL) as the specification language (differently, [12] uses propositional classical 
logic). The main advantage of the use of LTL as a planning language derives 
from its rich expressive power^ and the underlying simple model of time. 

The search for finite LTL models is carried out by means of tableau con- 
struction. Semantical tableaux bear in fact a significant advantage with respect 
to other proof systems strongly based on normal forms (resolution oriented, for 
instance) when proofs are expected to convey understandable information to 
the user. This is in fact the case in the planning domain, since the design of 
mixed-initiative systems can be a good choice in order to control the complexity 
of real world planning problems. Moreover, tableau methods have proved to be 
efficient reasoning methods for practical purposes, when the proof search is gui- 
ded by control knowledge that help keep the search space to a manageable size. 
The tableau calculus described in this work carries strong similarities with [18]. 
However, while temporal structures are alway infinite in that work, we focus on 
finite temporal models, that are obviously more suitable to represent plans. 

Planning is a notoriusly hard problem: plan existence is PSPACE-complete 
for propositional STRIP S-planning [5]. However, the existence of polynomial- 
length plans is NP-complete [12], hence practical solutions are often required 
not to exceed a given (polynomial) length known in advance. For this reason. 



^ Mainly, with respect to classical propositional logic, the “since and “until” operators 
add the strength of a sort of bounded quantification. 
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this work focuses on hounded planning problems, i.e., in the temporal logic ap- 
proach, the search of finite models whose size is not greater than a given limit. 
Whenever such a limit is not known in advance, the shortest plan can be found 
by iterative deepening search. Moreover, from a theoretical standpoint, the cal- 
culus can also be used to check finite satisfiability tout court, just by fixing a 
suitable (exponential) limit to the plan length (see Section 3.4). 

As a byproduct of the focus on finite models, the “since” and “until” opera- 
tors can be given an intuitive and simple treatment, without hindering termina- 
tion. As already remarked, the naturalness of the expansion rules is an important 
feature for the intended application. 

We stress that in this work we focus on the theoretical grounds of the integra- 
tion of search-based techniques in an LTL tableau calculus, without specifically 
addressing efficiency issues. Practical systems for model construction can be built 
on this basis, by studying meaningful subclasses of the language, allowing the 
encoding of planning problems. These two phases are typical of the development 
of logical approaches to AI problems. 

2 The Tableau System for Linear Temporal Logic 

The language of linear temporal logic we consider extends classical propositional 
logic, with the logical operators -i,A,V, T (always false) and T (always true), 
by means of the unary modal operators □ (always in the future), □ (always in 
the past), O (sometime in the future), O (sometime in the past), and the binary 
ones S (since) and U (until). 

The semantics of the language is defined as follows. A temporal structure T is 
a finite initial segment of the natural numbers: (0, ..., k); its elements are called 
time points. If C is an LTL temporal language and P the set of propositional 
letters in L, an C-interpretation AI is a pair (T,a), where: 

— T is a temporal structure; 

— CT : A — >■ P{P) is a function on time points, providing an interpretation to 
the propositional letters in P for any point in T. I.e. if i G T, then a{i) C P 
is the set of propositional letters true at i. 

The satisfiability relation Aii ^ A, for i G T, is inductively defined by 
addition of the following clauses to the usual ones for the classical connectives: 

1. Mi 1= OA iff for all j > i, Mj \= A. 

2. Mi 1= OA iff there exists j G T such that j > i and Mj ^ A. 

ii. Mi \= AUB iff 3j G T such that j > i and Mj |= B and for any k with 

i < k < j Mk H 

4. Mi 1= nA iff for all j < i, Mj ^ A. 

5. Mi ^ ^•A iff there exists j G T such that j < i and Mj |= A. 

6. Mi ^ ASB iff 3j G T such that j < i and Mj ^ B and for any k with 

j < k < i Mk H 
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Truth is satisfiability in the initial state: a formula A is true in j\4 (and A4 is 
a model of iff \= A. Truth of sets of formulae is defined as usual. 

Note that, due to the “strong” interpretation of the modal operators (exclu- 
ding the present time point also in the case of future time operators), the weak 
and strong “Next” and “Last” operators are definable. Although also the O 
and O operators are definable, we prefer to give them a separate treatment in 
the tableau system. The semantics of such “existential” operators is again the 
strong one, so that, for example, DOA can be true only in temporal structures 
consisting of a single time point (it is in fact always true in such cases). 

A formula is in negation normal form (nnf) iff no logical operator is in the 
scope of a negation. Two formulae A and B are equivalent iff for all M and i, 
Aii 1= A iff Aii 1= B. It can easily be shown that, under this strong notion of 
equivalence, every formula can be transformed into an equivalent formula in nnf, 
by applying the usual equivalences for — >•, A, V, □, 6, O, 5, and: 

~'{ALiB) = [—'BIA (“'A A ~'B)) V □—■i? —'{ASB) = [—'BS{~'A A ~'B)) V ^—•B 

In the rest of this section a tableau system is defined, that allows one to test 
whether a set LTL formulae in nnf admits models whose underlying temporal 
structure does not exceed a given size. In case of a positive answer, a model 
can be easily extracted from the tableau construction. The restriction to nnf 
formulae is introduced only to simplify the presentation of the rules. 

Let C = {start, finish, di,d2,d3, ...} be a set of constants (intuitively deno- 
ting time points). A state is any expression of the form c -I- n, for c G C and 
n G Z. The set of states is denoted by S. It is intended that C C S {c can be 
rewritten as c -I- 0). If s, t € A, then s < t is a temporal constraint. A labelled 
formula is an expression of the form [s,t]A, where s,t G S and A is an LTL 
formula in nnf. [s, s]A will be abbreviated by [s]A. 

Tableau nodes are labelled either by temporal constraints or labelled formulae 
(that are called logical nodes). If S' is a finite set of formulae in nnf and K = 
{finish < start + k} for some integer k > 0 (representing the maximal size 
of the searched models), then tableaux for S U K are initialized with the set 
{[start] A I A G S} U K and expanded by application of the rules in Table 1, 
where c denotes an element of C, and s, t, s' , t' , .. elements of A. The set of nodes 
occurring above the line of a rule is called the premise of the rule, while the sets 
of nodes occurring below are the expansions of the premise. 

Note that a sort of contraction is implicit in the /3-rule: the rightmost ex- 
pansion of the rule contains a node with the same formula already occurring in 
the premise, even though the labels (intervals) of the nodes are different. The 
intuition behind the /3-rule is the following: either A is true in the whole interval 
(leftmost branch) , or there exists a smallest time point c in the interval where A 
is false, hence B is true; since c is chosen to be the first of such points, A is true 
in the (possibly empty) subinterval before it. The rule could also be formulated 
in a symmetric way, distinguishing two cases according to whether A is true at 
s or i3 is true at s. However, this would force the rule to be reapplied once for 
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each point of the interval; on the contrary, with the proposed asymmetric formu- 
lation the interval may be cut into larger pieces at each application (obviously, 
the behaviour is the same in the worst case, where A and B are interleaved). 
The /3-rule is a delicate point: note that it is indirectly charged to expand also 
U- and iS-formulae. 





Logical rules 




Propositional 


Future time 


Past time 


a-rule 


□-rule 


□-rule 


[s, t]AAB 


[s,t] OA 




s <t 


s <t 


s <t 


[s,t] A 


[s -I- 1, finish] A 


[start, t—l]A 


[s, t] B 






/3-rule 


U-rule 


5-rule 


[s, t]A\/ B 


[s, t] AUB 


[s, t] ASB 


s <t 


s <t 


s <t 


r A S < C 


[c\B 


[c]B 




t+ 1 < c 


c< s- 1 


[s, c — l]A 


[t+l,c-l]A 


[c -1- 1, s — 1] A 


[c]B 


[s + l,t]A\/ B 


[s,t-l]A\/ B 


[c+l,t]AW B 


cG C fresh 


c G C fresh 


c G C fresh 








O-rule 


O-rule 




[s, t] C>A 


[s, t] 5 A 




s < t 


s < t 




[c\A 


[c]A 




t+l<c 


c< s — 1 




cG C fresh 


cGC fresh 


Interval rule 


Conflict resolution rules 


[s,t]A 


s <t 
s' < t' 
[s, f\ p 

[s' A'] 


[s,3] T 


t < s — 1 s <t 


t< s' -1 t' <s-l 


t<s-l 









Table 1. Tableau expansion rules 



When the interval rule is applied to expand [s,t]yl, we say that it is applied 
to the interval [s,t], independently of the formula A. This rule distinguishes the 
cases where an interval is empty or not. Its role is to provide the preconditions 
for the application of the logical and resolution rules. Intuitively, it is useless - 
and sometimes even incorrect - to expand a node when the interval is 

empty and, given two nodes [s,t]p, there is no conflict to be solved if 
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either [s,t] or [s',t'] (or both) are empty. Note that such rule could be dispensed 
with, and a corresponding branching added to most of the other rules, handling 
the case where the considered interval is empty. Its distinction as a separate 
rule makes the formulation of the calculus more compact and clearer: obviously, 
a test on the “emptyness” of an interval [s,t] needs to be done just once in a 
branch, independently on the number of logical nodes labelled by [s,t]. 

When the leftmost conflict resolution rule is applied, we say that it is applied 
to the nodes [s,t]p and [s', f] -•p. 

In the following, if is a tableau branch, const{B) denotes the set of constants 
occurring in B and including start and finish. 

Definition 1. Let C he a set of constants (including start and finish) and 
X a mapping from C to the integers. The notation I* is used to denote the 
extension of X from states to the integers such that X*{c + n) = X{c) + n for 
every c € C,n € Z . 

1. Let T = (0, ..., k) be a finite sequence of integers starting at 0. X is a temporal 
mapping for C with range T if min{X{c) \ c € C} = X(start) = 0 and 
max{X{c) I c G C} = X(finish) = k. Hence, in particular, the range of a 
temporal mapping is always finite. 

2. Lf K is a set of temporal constraints over C, then X is a solution to K iff: 

a) X is a temporal mapping for C; 

b) ifs<te K, thenX*{s) <X*{f). 

3. Let B he a tableau branch, C = const{B) and M. a temporal interpretation 
with domain T. 

a) If X is a temporal mapping for C with range T, then (A4,X) satisfies 
B ({M,X) h B) iff: 

i. X is a solution to the set of temporal constraints occurring in B; 
a. if [s,t]Gl occurs in B, then for every integer i, if i € T and I*{s) < 
i < I*{t), then M.i \= A. 

b) B is satisfiable in A4 iff there exists a temporal mapping X for C such 
that {M,X) 1= B. 

Definition 2. Let B he a tableau branch and K the set of temporal constraints 
occurring in B. B is open iff there exists a solution to K. Otherwise it is closed. 

Later on (Lemma 2) we show that every (non redundant) infinite branch is 
closed. Hence, we are only concerned with checking closure for finite branches, 
that amounts to checking satisfiability of a finite set of integer constraints. This 
can be done by means of well known graph algoritms (see any standard textbook 
on algorithms, e.g. [7]). 

The following definition captures the intuitive idea of tableaux where no 
wasteful expansions are ever performed. In particular, closed branches are never 
expanded. 

Definition 3. A tableau branch B is canonical iff: 

— The interval rule is applied no more than once to each interval. 
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— Every labelled formula is expanded no more than once by means of a logical 
rule. 

— The conflict resolution rule is applied no more than once to each node or 
pair of nodes. 

— No proper initial subsegment of B is closed. 

A tableau is canonical iff all its branches are canonical. 

Definition 4. If B is a tableau branch, then B is complete iff there exists no 
canonical expansion ofB. A tableau is complete if all its branches are complete. 

Here follows an example, showing the partial development of a tableau for 
A = Op A □(“'P V q). Below, the application of the interval rule to intervals of 
the form [c] is not shown, and neither are obvious premises of the form c < c. 
The nodes are numbered in order to comment the tableau. We assume that the 
tableau is initialized with some limit k, for any A: > 1. 

1. finish < start + k 

2. [.start] A 

3. [start] Op 

4. [start] n(-tp V q) 

5. [di]p 

6. start + 1 < di 

7. [start + 1, finish] ~<p\/ q 

8. finish < start 9. start + 1 < finish 

10. [start + 1, finish] ~<p 13. start + 1 < d 2 

11. di < start 12. finish < di — 1 14. d 2 < finish 

15. [start + 1, ^2 ~ 1] “'P 

16. [d2]q 

17. [d 2 + 1, finish] ~<p\/ q 

18. d 2 — I < start 19. start + 1 < ^2 — 1 

20. finish < c ?2 21. ^2 + 1 < finish 

Nodes 3 and 4 are the expansion of 2, and their expansions are 5, 6 and 7, 
respectively. Nodes 8 and 9 result from the application of the interval rule to 7; 
the branch with node 8 is closed, since, implicitely, di < finish. Nodes 10 and 
13-17 are the branches obtained from 7 and 9. The conflict resolution rule is 
applied to 5, 9 and 10, giving 11 and 12, that both close. Nodes 18-19 and 21-21 
derive from 15 and 17, respectively, by the interval rule. The branches passing 
through 19 and 21 are not further developed. The open and complete branch 
ending at 20 represents the smallest (partial) model, with points 0 = X{start) < 
1 = X{di) = 1 (^ 2 ) = X{finish), with both p and q holding at 1. One of the 
further expansions of the branch passing through 21 would yeld a more general 
description, with 0 = X{start) < 1 = 1 (^ 2 ) < ^{di), where p holds at X{di) 
and q holds in the whole interval [l,X(finish)]. The development of 19 explores 
models where di,d 2 > 1. 
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3 Termination, Completeness and Soundness 

In this section we show that the construction of any canonical tableau terminates 
and that the calculus is complete and sound, i.e., if a given set of formulae S has 
a model M whose size is not greater than k, then any tableau for S U {finish < 
start + k} has an open branch that is satisfiable in Ai (completeness) and any 
complete and open branch, in any tableau for S U {finish < start + k}, is 
satisfiable in some model whose size is bounded by k (soundness). It is also 
shown that, from a theoretical standpoint, the calculus can be used to check 
satisfiability in models of any finite size. Complete proofs can be found in [6]. 

3.1 Termination 

Here we restrict our attention to canonical tableaux, thus ensuring, in particular, 
that the construction of a branch is abandoned as soon as it is recognized to 
be closed. As already remarked, the existence of a solution for a given set of 
constraints can be tested by means of shortest-path graph algorithms. 

The following definition captures the idea of a sequence of applications of the 
/3-rule, each of which expands an expansion of the previous one. 

Definition 5. Let B he a tableau branch. A P~node in B is a node of the form 
[s,t]AV B. A /3-chain in B is a sequence of /3-nodes Xq,Xi,... such that, for 
every i > 1, Xi-i is expanded in B by application of the /3-rule and Xi is the 
/3-node in the corresponding rightmost expansion. A k-length-/3- chain is a finite 
/3-chain Xq,Xi, ..., Afc+i, constituted by k -\- 2 nodes. 

A node X in B is the root node of a /3-chain if it is the first node in a /3-chain 
and it is not itself obtained by an application of the /3-rule, i.e. there exists a 
maximal length /3-chain in B having X as its first node. 

The proof that the construction of canonical tableaux terminates uses the 
following lemmas. 

Lemma 1. Let B he a branch in a tableau and X a temporal mapping satisfying 
the constraints in B. Lf [s,tlA occurs in B and I*(s) < X*(t), then 0 < I*(s) < 
I*{t) <X{finish). 

Lemma 2. 

1. If B is a canonical open branch in a tableau for S U {finish < start -\- n}, 
then B contains no k -length- /3- chain with k > n. 

2. Any canonical infinite branch contains an infinite /3-chain. 

3. Every open branch is finite. 

Proof. We give here only a proof of the first item. Let us assume that B does 
contain a fc-length- /3-chain with k > n. Then B contains a sequence of nodes 
having the form: [s, t] A\/ B,[a\-\-l, t] AVB, [o 2 -l-l, t] AVB,..., [a„+ 2 -l-l, t] AV B 
and the sequence of constraints: s < ai,ai -I- 1 < 02 , ..., a„_|_i -I- 1 < a„+ 2 ) and 
On +2 < t. If I is is a solution for the constraints in B, then, by Lemma 1, 
0 < I*{s) < X*{f) < I*{finish) (in fact s < t is in B), so that I*(o„+ 2 ) > n-l- 1. 
However, I*(a„+ 2 ) < X*{t) < X* (finish) < n holds too, that is absurd. 
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Theorem 1. Any canonical tableau for SU{finish < start+n}, for any n>0, 
is finite. 



3.2 Completeness with Respect to Model Construction 

The proof that the tableau calculus is complete w.r.t. model construction uses 
the following lemmas. 

Lemma 3. Let B he a branch in a tableau T, M. a temporal interpretation and 
I a temporal mapping for the constants occurring in B. If (A4,I) ^ B and 
B can he expanded, Bi (and B 2 ) being its expansion(s), then for some i = 1,2 
there exists an extension l' of I to the fresh constants of Bi (if any) such that 
{M,I')^B, 

Proof. Different cases must be considered according to the applied expansion 
rule. Let T be the temporal structure underlying M (and the range of I). Here 
we show the treatment of the /3-rule and the 5-rule. 

1. In the case of the /3-rule, by hypothesis {M,X) \= V B and X* {s) < 

X*(f), so that 0 < X*{s) < X*(f) < X* {finish), by Lemma 1. It follows that 
for every i G \X* {s) ,X* {f)]. Mi |= H V i3. If for every such i. Mi \= A, 
then the leftmost branch is clearly satisfied by M and X. Otherwise, let k 
be the smallest element in the interval \X* {s) ,X* (f)] such that Mk A, 
hence Mk |= B. The mapping X is extended to X' such that X' {a) = k. 
By the choice of k, clearly {M,X') \= [s,a — 1]A and {M,X') \= [a]B. If 
k = X*{t), {M,X') \= [a-l-1, t]A\/B is voidly satisfied. Otherwise, the interval 
\X*{a+ l),I*(t)] is a subinterval of \X* {s) ,X* {t)\, hence again {M,X!) \= 
[tt -t- 1, V B . 

2. Let the 5-rule be applied to [s,t]ASB. By hypothesis, {M,X) ^ ASB and 
X{s) < X*{t). By Lemma 1, 0 < X*{s) < X*{t) < X{finish). It follows that 
X*{s) G T and that there exists i G T such that i < I*(s), Mi |= B, and for 
any j €T such that i < j < X*{s), Mj ^ A. Hence if we set X'(a) = i, where 
a is the new constant introduced by the rule, we get that {M,X') satisfies 
[a]B, a < s — 1 and [a -I- 1, s — 1]A. Let now consider any time point j € T 
such that X*{s) < j <X*{t— 1) and assume that Mj ^ HVH. Let k be the 
smallest of such points; then X*{s) < k + 1 < X*(f) but Mk+i ASB, a 
contradiction. 

As a consequence of the above lemma and Theorem 1 we have the following: 

Theorem 2. Let M = {T,a) be a temporal interpretation, with T = (0,...,n), 
S a finite set of LTL formulae in nnf and K = {finish < start + k}, for some 
integer k > n. If M is a model of S then any canonical tableau for SDK has a 
branch that is finite, open and satisfiable in M . 
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3.3 Soundness with Respect to Model Construction 

Conversely, any complete open branch describes some model of its initial formula. 
Such a soundness result follows from the invertibility of the logical rules, with 
respect to their logical nodes, established by the following lemma. 

Lemma 4. Let Ai = (T, a) he a temporal interpretation and I a temporal map- 
ping with range T. For every logieal rule 

[s, t] F [s, t] F 

s < t s < t 

or 

Bi B2 Bi 

if (M,I) ^ Bi (for some i = 1,2), then {M.,1) \= [s, t]F. 

Proof. If I*{f) < I*{s) then {Ai,X) \= [s,t]F for any F. Hence we assume 
I*(s) < I*{t). Here, we prove the lemma only for the case of the U-rule. 

If F is AUB, then {Ai,X) satisfies [a]B, [t + I,a — I]H, [s + l,t]A V B, 
where a is a fresh constant such that X*{t + 1) < X{a) = n. Since (M,X) ^ 
[t + 1,0 — 1]A, clearly \= AUB. Let now i G \X*{s),X*(t — 1)]. Since for 

alljG \X*{s-\-l),X*{f)], Mj ^ HVH, also for all j G [i-\-l,X*{t)], Mj \= A\/ B. 
We distinguish two cases: 

— If for all j G [i-\-l,X*{t)], Mj ^ A, then n itself is the “witness” for i: n > j, 

Mn h= ^ J> i < 3 <n, Mj [= A. Hence in this case Mi ^ AUB. 

— Otherwise, let k be the smallest j G + l,X*{f)\ such that Mk ^ A. Since 
Mk \= Ay B, Mk 1= B. Moreover k > i and, by construction, for all j, 
i < j < k, Mj ^ A. Hence again Mi ^ AUB. 

Theorem 3. If B is a eomplete and open tableau branch and X is a solution of 
the set of the temporal constraints occurring in B, then there is an interpretation 
M such that {M,X) [= B. 

Proof. First of all, observe that by Lemma 1 the branch B is finite. Let T be the 
(finite) range of X and M = (T, a), where a is such that: 

for each atom p and i G T, p G a(i) iff there is a node [s, t]p in B such that 
J*(s) < i<X*(t). 

The interpretation function cr is well defined, since, if [s,t]-L is in B, then K 
contains t < s — 1, because B is complete, so that there are no elements i G T 
with X*{s) < i <X*(t). 

By hypothesis, X satisfies all the temporal constraints in B, so it rests to be 
shown that for any logical node in B, (M,X) |= [s,t]F. This is done by 

induction on the number of application of logical rules in B. Note that if the 
constraint t < s — 1 occurs in B, then trivially (M,X) ^ [s,t]F’. Hence, the only 
interesting cases arise when the constraint s < t occurs in B (since B is complete, 
either t<s— lors<t occurs in B, for any [s,t]F" in B). In the following, K 
denotes the set of constraints occurring in B. 
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1. The base case is when there is no application of logical rules in B, hence, 
since B is complete, the only logical nodes in B have the form [s,t]F, where 
F is a literal. 

— If F is an atom, the result holds by definition of a. 

— If F is -•p, assume that (M,I) ^ [s,t]~'p, i.e. there exists i € T such 
that F*(s) < i < I*{t) and p £ a(i). Hence, by definition of a, there is 
a node [s',t']p in B where I* (s') < i < Since B is complete, both 

s < t and s' < t' are in K (otherwise, t < s — 1 or f' < s' — 1 would be 
in K, contradicting the fact that neither [F*(s),F*(t)] nor [I* {s'),I* {t')] 
are empty), and the conflict resolution rule is applied to s < t, s' < t' , 
[s, tj-ip and [s', t']p. Hence, either f < s' — 1 or t' < s — 1 is a node of B. 
In both cases, the intersection of [J*(s),I*(t)] and [I*{s'),I* {t')] should 
be empty. 

2. The inductive step follows from Lemma 4. 

3.4 Complexity and the Search for Models of Any Finite Size 

Since the rules of the calculus are invertible, the search for a model can be done 
by construction of a single (canonical) tableau, following any strategy to choose 
the nodes to be expanded. It can be shown that the length of a branch in a 
tableau for S U {finish < start + k} is polynomial in n x fc, where n is the size 
of S. Since testing whether a branch is open or not can be done in polynomial 
time, a non deterministic algorithm implementing the proposed tableau system is 
0{n X k)f A deterministic algorithm is 0(2"^*), since the number of branches 
must also be taken into account. However, the space required by depth first 
search is still polynomial in n x fc. 

Suitable versions of Theorems 2 and 3 also hold when tableaux are initialized 
without any constraint of the form finish < start + fc: if A4 is a model of S, 
then any canonical tableau for S has a finite open branch that is satisfiable in 
M, and, conversely, any complete and open tableau branch is satisfiable. This 
gives a semi-decision procedure for testing satisfiability in models of finite size. 

However, the calculus also induces a decision procedure for checking LTL fi- 
nite satisfiability. It is already known that finite satisfiability in LTL is decidable; 
for instance, this can be proved by use of Lemma 4.5 in [20] (that can be easily 
adapted to our finite semantics). Roughly, the lemma says that, given any model 
A4 of an LTL formula F, if two time points satisfy exactly the same subformulae 
of F then they may collapse (and the interval between them disappear), so that 
a smaller model A4' may be obtained. As a consequence of such a result, if F 
has a model, then it has a model whose size does not exceed the cardinality of 
the powerset of the set of its subformulae, i.e. In our framework, this 

implies that by setting K = {finish < start -I- we immediately get a 

decision procedure for finite satisfiability in LTL. 

^ This corresponds to the fact that, although the general plan-existence problem 
for STRIPS-like operators (see Section 4) is PSPACE-complete, planning is NP- 
complete when only polynomial length plans are considered. 
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This may be interesting from a theoretical standpoint, but clearly unprac- 
tical: if the bound k on the model size is exponential in n, a doubly exponential 
upper bound to the deterministic time complexity is obtained, and the space 
complexity is exponential in n. 

4 Planning in LTL 

In this section, we give a brief overview of the main features of some important 
search based planning system, in order to illustrate the advantages induced by 
the use of LTL as a specification language for planning problems and the use of 
the proposed tableau calculus as the basis for a plan search engine. 

Most of the planning languages in the non logical approach, whose semantics 
has been been given a formal characterisation, are extensions of the language of 
STRIPS, the first major planning system [10]. In such languages, the description 
of an action a consists of the specification of the preconditions for its executabi- 
lity, a set of formulae describing, for some relations R, the set of elements that 
will newly enjoy of R in the situation that results from the execution of a (the 
“add list”) and formulae describing the set of elements that are going to lose 
some property R after executing a (the “delete list”). Syntactic restrictions are 
imposed on the formulae that are allowed to occur in the precondition, add and 
delete list, although different languages may vary in their expressive power. 

Planners are planning algorithms that use the representation of the problem, 
given by action descriptions together with a description of the initial situation 
and goals, in order to synthesise a plan, i.e. a sequence of actions that, if executed, 
would lead from the initial situation to the desired goals. The search for the plan 
can be performed in different ways. Mainly, the following features characterise 
different strategies: 

— The search can either proceed in a data driven manner, starting from the 
initial situation (progression planners) or backward, taking the goals as the 
starting point (regression planners), considering those actions that achieve 
the goal and, in turn, their preconditions, until the initial situation is reached. 

— The search space can be constituted either by the set of situations themsel- 
ves, actions transforming a situation into another one, and a plan is therefore 
a path leading from the initial situation to a situation where the goals are sa- 
tisfied (linear planners), or by a set of partial plans (partial order planning). 
A partial plan is essentially a set of actions related by a (partial) ordering 
relation. Partial order planning starts with the empty plan and successively 
refines it, either by addition of new actions or new temporal constraints bet- 
ween them. The result of the search (the final plan) is itself a node in the 
search space, fulfilling some requirement that, roughly, ensures that every 
goal has been reached. This approach reflects the least commitment princi- 
ple: postpone constraining decisions till they are actually needed. 

Although the preferability of one or the other of such approaches may strongly 
depend on the problem structure, consensus suggests that regression and partial 
order planning are generally more adequate to handle real world problems. 
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In [19], a partial order planning algorithm (UCPOP), working by regression, 
is described. Succinctly, UCPOP starts with a plan consisting of two “dummy” 
actions: start, whose effects are the initial conditions, and goal, whose precon- 
ditions are the goals of the problem. Then, new actions and constraints are 
successively added to the plan, until all preconditions are satisfied. At each step, 
an “open” precondition P of an action at is chosen (that is not satisfied yet) 
and either a new action or an existing action, having such precondition as effect, 
is nondeterministically chosen and, if new, added to the plan. The plan is also 
added a causal link from the chosen action Oj to Oj, labelled by P, in order to 
record the fact that Oj is present in the plan exactly to produce P. After that, 
UCPOP resolves possible threats: there may be actions athreat in the plan whose 
effect would destroy P. The threat is then solved either by promotion, adding 
the time constraint athreat < aj, or demotion, by addition of the constraint 

^ ^threat- 

The use of LTL as a specification language allows one to encode planning 
problems in a very flexible way. In general, the encoding of a planning problem 
in LTL consists of the following sets of formulae: 

— a set S of initial state formulae, describing the initial situation, where no 
temporal operator occurs; 

— a set F of goal formulae, describing what is expected hold in the final situa- 
tion, each of which having the form 0“(AAnU), where 0~B =def {By OB)-, 

— a set G of global assumptions, describing what holds in every situation (de- 
scription of action preconditions and effects, general truths, etc.), having the 
form A A OA. 

Moreover, a specification can include a set T of task formulae, describing in- 
termediate tasks that have to be accomplished before reaching the goal, in the 
form 0~ A. In some problems, in fact, the activity is more significant than the 
goal and the specification of the goal state can even be equal to the initial state 
one, but intermediate tasks must be performed: “do this and that, then go back 
home”. Intermediate tasks cannot be directly modeled in STRIPS-like langua- 
ges, which lack the capability to refer to what happens between the initial state 
and the goal. They are taken into account by the Hierarchical Task Networks 
approach (see, for example [9,23]), as well as in [1].^ 

The richer expressive power of LTL as a planning language, with respect to 
STRIPS-like formalisms, can be exploited in several other directions. For exam- 
ple, as a consequence of the fact that a plan consists of a partially ordered set 
of actions - i.e. an action is identified with the state where it is performed - 
STRIPS-like formalisms cannot cope in a natural manner with problems requi- 
ring two or more actions to be performed contemporarily in order to achieve 
a desired effect. In LTL, on the contrary, situations are not identified with ac- 
tions (which are represented by means of ordinary propositions), so that nothing 
prevents a model from containing a situation where two or more actions are per- 
formed. Furthermore, parallel actions can be modeled. 

® Obviously, such tasks could be represented by means of goals of the form “having 
this and that done” , but this is an unnecessary complication. 
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The same advantages are shared by the “planning as satisfiability” para- 
digm, proposed by Kautz and Selman [12], the logical language used to encode 
planning problems being propositional logic. However, with respect to the use 
of propositional logic, in an LTL specification time is implicitly represented and 
the presence of the binary temporal operators “since” and “until” gives the lan- 
guage a very rich expressive power, resulting in the possibility to assert what 
must hold in a whole interval. 

When model search for LTL formulae is performed by means of the propo- 
sed tableau system, different plan search strategies may be simulated, by use of 
different ways of writing global assumptions. For instance, the regression stra- 
tegy followed by UCPOP may be simulated by meand of “regression encodings”, 
where effect and frame axioms have the form D(p — >■ where 

A (resp. B) encodes all the conditions that may lead p to become true (resp. 
false): if p is true sometime, then it must be the case that either some action 
was performed before (H), having p as effect, and such an effect has not been 
destroyed (by B) since then, or p has always been true and no action destroyng 
p has ever been performed. The search in the tableau resulting from the expan- 
sion of such regression axioms is goal driven. The partial ordering of time points 
in tableau construction reflects a form of plan-space search planning, while the 
conflict resolution rules are also used for solving UCPOP “threats”. Data dri- 
ven plan construction may be expressed as well, by means of global assumptions 
( “progression encodings” ) roughly stating that if an action is performed at point 
i, then its effects hold at point i + 1 (or even in a whole interval, until (possibly) 
such effects are destroyed), and classical frame conditions for all literals. A de- 
tailed descritption of such encodings, and the induced plan search mechanisms, 
would override space limits and will be given elsewhere. 

The application of LTL to planning has been considered in other works. 
For example, [3] applies the executable temporal language METATEM [2] to 
planning and scheduling. F. Bacchus and F. Kabanza [1] use a version of temporal 
logic to specify temporally extended goals as sets of acceptable sequences of 
states, i.e. temporal models, and define correct plans as those whose execution 
results in one of such sequences.^ In both cited works, only a form of linear, data 
driven planning is obtained. 



5 Conclusions and Related Work 

In this work, the possibility of using linear temporal logic as a planning language 
is investigated, in the view that a plan is a finite model of the specification of 
the problem. With respect to formalisms used in the search based approach to 
planning, the use of LTL shares the advantages of any logical approach: a formal 
semantics, generality and expressivity. Furthermore, using a well studied logic 

Temporal logic is not used to encode the planning problem entirely: actions are 
described in an ADL format, and an Expand operation is used, that, applied to a 
state s, generates all the successors of s that are produced by performing any allowed 
action. 
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allows the exploitment of meta-theoretical results. In this case, we know that 
completeness (with respect to plan construction of any length) is not lost if the 
search is restricted to consider plans whose maximal length is where S 

is the problem specification. 

On the other hand, the tableau calculus by means of which model search is 
performed allows the embedding of different strategies and techniques mutuated 
from the search based approach to planning, depending on the encoding of the 
problem. In particular, plan space search can be simulated, since the calculus uses 
labelled formulae, labels corresponding to time intervals where the corresponding 
formulae are true, and time points are only partially ordered. 

Different proof systems for linear temporal logic can be found in the litera- 
ture, that can be turned into model search methods (the underlying model of 
time being however always infinite). Most of them (for example, [22,4,2]) are 
essentially based on the following equivalences 

OA = Aw QOA AUB = BV {AaO(AUB)) 

where O is th® “next” operator and O and U have the weak semantics, including 
the present time point. Rewriting a formula of the form OA as A V leads 

to choose whether “executing” A in the present time point or postponing its 
execution, the same problem passing on to the next time point. Consequently, 
in the model description that results from the construction, the ordering of time 
points is always total. Moreover, such systems must be equipped with some 
mechanism to check whether all “eventualities” (formulae in the scope of a O or 
5, or in the right scope of a W or 5 operator) are sooner or later satisfied. 

The systems reported in [18,17], carrying on the work in [11], are signifi- 
cantly different from the above ones. Several important points of such works 
are resumed in the present paper. In [18], where only unary temporal opera- 
tors are considered, the construction of tableau branches terminates and branch 
closure is reduced to the satisfiability of the set of integer constraints in the 
branch. The introduction of the “since” and “until” operators - that is howe- 
ver essential in coding planning problems - raises new difficulties. In [17] the 
tableau expansion rules for such operators are mainly based on the equivalences 
AUB = B W {A A O(AUB)) and the symmetric one for S, but an ingenious 
rewriting of the “contracted” formula into a propositional letter guarantees ter- 
mination. After the terminating tableau expansion, branch closure is checked 
by reduction to a model checking problem in CTL with fairness constraints, in 
the style of [4]. Because of the special form of the set of active formulae in the 
branch, the model checking problem is somewhat simplified. Surely, focusing on 
finite models could lead to simpler solutions. In this case, in fact, some hard 
problems disappear, such as the problem of fairness conditions (in connection 
with formulae of the form DO A). 

This work lays the theoretical grounds for the use of LTL, with the proposed 
tableau system, to solve planning problems. A prototype implementation exists, 
TabPlan. It is written in Standard ML and uses a modification of Bellman-Ford 
shortest path algorithm to check branch closure, allowing for incremental tests. 
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so that as soon as a new constraint is produced, the set is tested for consistency 
considering only what has been newly modified. Moreover, some obvious short- 
cuts are added to the rule set. In order to have a practical planning system and 
collect experimental results on significant planning problem examples, however, 
some theoretical work still has to be done. 

One of the first issues to be addressed is the characterization of the class 
of formulae involved in different encodings of planning problems. In fact, one 
does not expect that a general purpose system for full temporal logic over finite 
domains can compete with special purpose planners. One of the main reasons 
is that the encoding of a planning problem never exploits the full expressive 
power of LTL. For example, the nesting of temporal operators is always limited; 
regression encodings mainly use past time operators and progression ones future 
time operators; the occurrences of /3-subformulae can be recognized to have a 
regular structure, that allows one to solve the general problem raised by /3-chains. 
Hence, refinements of the calculus for planning formulae can be defined, in order 
to improve TabPlan performance. 

A further issue concerns the extension to a limited first order language. In 
fact, although from a theoretical standpoint propositional logic suffices to re- 
present planning problems over finite domains, needless to say that treating an 
existential quantified formula like the finite disjunction of its instances is not an 
excellent solution. It would be a gross violation of the least commitment principle. 

Finally, the possibility to apply TabPlan to other domains, such as, for ex- 
ample, the management of dynamical integrity constraints in data bases, is to 
be investigated. 

Acknowledgements. The authors are strongly indebted with Jean Goubault- 
Larrecq for reading a first version of this paper and making helpful remarks. We 
also thank Wolfgang Gehrke, for implementing TabPlan first prototype. 
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Abstract. Circumscription is a non-monotonic formalism based on the 
idea that objects satisfying a certain predicate expression are considered 
as the only objects satisfying it. Theoretical complexity results imply 
that circumscription is (in the worst case) computationally harder than 
classical logic. This somehow contradicts our intuition about common- 
sense reasoning: non-monotonic rules should help to speed up the reaso- 
ning process, and not to slow it down. 

In this paper, we consider a hrst-order sequent calculus for circumscrip- 
tion and show that the presence of circumscription rules can tremen- 
dously simplify the search for proofs. In particular, we show that certain 
sequents have only long “classical” proofs, but short proofs can be ob- 
tained by using circumscription. 



1 Introduction 

One motivation for the introduction of non-monotonic reasoning principles was 
the hope to speed up the reasoning process. Instead of specifying an exhaustive 
list of procedures, “rules of thumb” should enable an automated reasoning ma- 
chine (like, e.g., a robot) to draw inferences in a more efficient and timesaving 
way. Unfortunately, these expectations were somewhat shattered as soon as com- 
plexity results appeared for these logics (see, e.g., [12,14,15,18,26], an overview is 
given in [8]). Basically, it turned out that almost all non-monotonic formalisms 
are “harder” than classical logic (for propositional systems, this holds under 
the proviso that the polynomial hierarchy does not collapse). However, these 
results are just one side of the coin. They only show how non-monotonic reaso- 
ning behaves in the worst case, but they give no indication on how we can profit 
from non-monotonic rules. One of the few investigations emphasizing this point 
are the works by Cadoli, Donini and Schaerf [6,7]. Roughly speaking, they show 
that, unless the polynomial hierarchy collapses, propositional non-monotonic sy- 
stems allow a “super-compact” representation of knowledge as compared with 
(monotonic) classical logic. 

Recently, tableau and sequent-style calculi for various forms of non-mono- 
tonic reasoning have been introduced [1,3,4,5,21,22,23]. In this paper, we con- 
sider a generalization, CIRC*, of the cut-free sequent calculus for propositional 
circumscription, introduced by Bonatti and Olivetti in [5] . CIRC* consists of three 

H. de Swart (Ed.): TABLEAUX’98, LNAI 1397, pp. 141-155, 1998. 
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parts, namely a classical (first-order) LK-calculus, a “complementary” sequent 
calculus for propositional logic, and certain inference rules formalizing circum- 
scription. In the complementary calculus, “anti-sequents” of the form F [/ O 
state the non-derivability of 0 from F. 

The basic idea of our approach is the following. We compare in the calcu- 
lus CIRC* the minimal proof length of “purely classical” proofs, i.e., of proofs 
without applications of circumscription rules, with proofs where circumscription 
is applied. More precisely, we show that there are infinite sequences (Cfc)feg]N, 
{Sk)keTN of sequents with the following properties: 

1. The minimal proof length of Ck in CIRC* is non- elementary in k, i.e., the 
proof length of Ck is of the order s(fc), where s(0) := 1 and s(n -I- 1) := 

for all n > 0. 

2. The minimal proof length of Sk in CIRC* is linear in k. 

Ck represents the fact that a certain formula Flk is “classically” derivable from 
a given theory T, whereas Sk represents the fact that Flk is proved with the 
help of circumscription. Although the derivation of Hk with the non-monotonic 
rules involves both a classical derivation and a derivation in the complementary 
calculus, for sufficiently large k, the length of this proof is much shorter than 
the proof of Flk without circumscription. The reason is that the length of any 
cut-free proof of Flk is non-elementary in the size of the input formula, but short 
proofs can be obtained by using the cut rule — and circumscription provides 
additional information such that “one part” of the short classical proof with 
cut is sufficient. Moreover, since for first-order cut-free sequent calculi, the size 
of the search space is elementarily related to the minimal proof length, a non- 
elementary decrease of the search space is also achieved. 

A motivation of our method can be given as follows. Usually, non-monotonic 
techniques are applied in case a classical proof cannot be found. Although this 
is a reasonable procedure in decidable systems, it is not appropriate for undeci- 
dable systems like first-order logic. Indeed, if we integrate non-monotonic rules 
into first-order theorem provers, we have to invoke non-monotonic mechanisms 
after a certain amount of time, whenever the goal formula has not been pro- 
ven classically up to this point. Accordingly, it may happen that a formula is 
provable both classically and with the help of non-monotonic rules. Our result 
shows therefore that, in certain cases, the theorem prover may easier find a proof 
because the presence of circumscription rules yields a much smaller search space. 

The paper is organized as follows. In Section 2 we introduce basic definitions 
and notations. Moreover, the sequent calculus CIRC* is described. In Section 3 we 
prove our main result, and in Section 4 we conclude with some general remarks. 



2 Preliminaries 

Throughout this paper we use a first-order language consisting of variables, fun- 
ction symbols, predicate symbols, logical connectives, quantifiers and punctuation 
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symbols. Terms and formulae are defined according to the usual formation ru- 
les. We will identify 0-ary predicate symbols with propositional atoms, and 0-ary 
function symbols with (object) constants. 

Let t be the function with t(a;,0) := 2“ and t(a;,n-|- 1) := 2 for all 

n G IN. A function / : IN — >■ IN is called elementary iff there is a Turing machine 
M and a constant c G IN such that M computes / and the computing time 
Tm(x) of M with input x obeys the relation Tm(x) < t(a;, c), for all a; G IN. 
Note that, for each fixed n G IN, the function t(-, n) itself is elementary. On the 
other hand, the function s, defined by s(n) := t(0,n), is non- elementary. 

2.1 Circumscription 

Reasoning under circumscription is based on the idea that objects satisfying a 
certain predicate expression P are considered as the only objects satisfying it. 
Roughly speaking, the positive information about P is treated as a sufficient part 
of a definition of P, and the circumscription of P “completes” this definition 
by minimizing the extension of P.^ In this process, one can determine which 
predicate symbols shall be minimized, which predicate symbols shall retain their 
meaning, and which ones can be varied. In contrast to classical reasoning, under 
circumscription, logical consequence is evaluated in terms of models which are 
minimal in a certain sense. 

Definition 1. Let S be a finite set of closed formulae, let M , N be two models 
of S, and let P, R be finite sets of predicate symbols such that P and R are 
disjoint. We call M a (P; i?)-submodel of N, symbolically M diP-R N, iff the 
following conditions are satisfied: 

1. M and N have the same domain; 

2. M and N have the same interpretation for each predicate symbol in R; 

3. the interpretation of each predicate symbol F G P in M is a subset of the 

interpretation of F in N. □ 

Note that in condition 3, if fo is a propositional atom, then F must be true in 
N whenever it is true in M . 

Clearly, the relation :<p.R is a pre-order. The minimal objects with respect 
to this ordering are called (P; R) -minimal. Observe that in the relation diP-R, 
all function symbols are allowed to vary. 

Definition 2. Under the circumstances of Definition 1, we say that a formula 
A is entailed by S (with circumscribed predicate symbols P and fixed predicate 
symbols R), written S \=p-,r A, iff A is true in all (P] R) -minimal models of 
S. □ 

Historically, circumscription was proposed by McCarthy in [19,20], where the 
minimization principle is encoded in the form of a certain second-order formula. 
Subsequently, circumscription has been advanced by many AI researchers resul- 
ting in a whole family of different circumscription techniques. Our version of 
circumscription is a special form of that given by Lifschitz [16]. 

^ Circumscription is closely related to predicate completion in clause logic [9], and to 
the well-known closed world assumption [25]. 
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2.2 Classical Proof Machinery 

A (classical) sequent S is an ordered tuple of the form F \- S, where F, E are 
finite sequences of first-order formulae. F is the antecedent of S', and E is the 
succedent of S. The informal meaning of a sequent Ai, . . . , A„ h Bi, . . . , is 
the same as the informal meaning of the formula (Ar=i (Vl^i ^i)- 

As proof system we use the (cut-free) sequent calculus LK. Axioms (or initial 
sequents) are sequents of the form A \- A, where A is any first-order formula. 
The inference rules of LK are given below, consisting of the logical rules, the 
quantifier rules and the structural rules. 



System LK; Logical Rules 
Fi,A,F2 h A Fi,A,F2 h A 

Fi,(A A B),F2 h E ^ Fu(B A A),F2 h E 

F \- El, A, E 2 A \- 7 T 2 

At 

F,Ah El, Hi, (A A B),E2,n2 

Ei,A,F2 b El Fli,B,F[2 b E 2 
Fi,ni,(A V B),F 2 ,H 2 b Ei,E 2 



F b Ei,A,E2 
F b El, (A V B),E2 



Vri 



F b Ei,A,E2 
F b Ei,(B V A),E2 



Vr2 



F b Ei,A,E 2 Fi,B,F 2 b n 
F,(A -A B),Fi,F 2 b Ei,E 2 ,n 



A;A, T 2 b Ei,B,E2 
Fi,F2 b Ei,(A -A B),E2 



Fi,F2 b Ei,A,E2 Fi,A,F2 b Ei,E2 

Fi,^A,F2 b Ei,E2 Fi,F2 b Ei,^A,E2 



System LK; Quantifier Rules 



Ei,A(t),E2 b F 
Ei,\JxA(x),E2 b r ^ 



F b Ei,A(y),E 2 
F b Ei,\ixA(x),E2 



Ei,A(y),E 2 b F 
Ei,3xA(x),E2 b F 



F b Ei,A(t),E2 
F b Ei,3xA(x), E 2 
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Vr and 3/ must fulfill the eigenvariable condition: the (free) variable y must not 
occur in the conclusion of the rule. For \/l and 3r, the term t must be free for x 
in A. 



System LK: Structural Rules 

WEAKENING 



A,^,F2 h r r ^ SuA,S2 



CONTRACTION 

ri,A,r2,A,r^ \-s r Si,a,ij2,a,ij3 

ruA,T2,r3 h r r h ri,A^ 2,^3 



We also use the following two systems: LKq is the propositional version of 
LK (i.e., without quantifier rules and restricted to sequents which contain only 
propositional formulae), and LKcut is LK together with the cut rule: 

A h S^,A A,T2 h A ^ 

A, A h A, A 

Let a be a proof in LK, LKq or LKcut- The length of a is the number of 
sequents occurring in a. We denote the length of a by |a|. 



2.3 Proof Machinery for Circumscription 

Recently, Bonatti and Olivetti [5] introduced a sequent calculus for propositional 
circumscription, following closely their earlier contributions of presenting similar 
systems for default logic and autoepistemic logic [3,4]. Like its predecessors, the 
newly proposed calculus consists of three parts, namely a classical propositional 
sequent calculus, a propositional anti-sequent calculus (the complementary sy- 
stem), and certain inference rules involving circumscription. The ingenious part 
in their approach is the use of the complementary system formalizing invalid sta- 
tements, i.e., an anti-sequent T 1/ 6> is provable in the complementary sequent 
calculus iff the corresponding classical sequent F \- 0 is invalid. In general, 
two logical systems are complementary iff objects derivable in one system are 
not derivable in the other system and vice versa. ^ 

The study of logical systems describing invalid statements is a less known 
branch of logic tracing back as early as Aristotle’s theory of syllogisms. The 
first modern author who introduced a logical calculus for rejected statements 
was Lukasiewicz in his attempt to translate Aristotle’s system of syllogisms into 
present-day logic [17]. However, his system is of a somewhat hybrid nature: 

^ The term “complementary proof system” is due to Varzi [27]. 
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it defines rejected statements in terms of valid and invalid ones. Preparatory 
for his default logic calculus, Bonatti introduced in [2] a sequent calculus for 
invalid formulae whose description relies purely on the notion of unprovability. 
Independently, Goranko [13] presented essentially the same calculus as part of 
several complementary sequent calculi for certain modal logics. 

Since we use first-order formulae for our result, we must slightly generalize 
the system of Bonatti and Olivetti. Due to the undecidability of first-order logic, 
we cannot have a sound and complete formalization of first-order non-theorems. 
If one wants to construct such a sound and complete axiomatization of invalid 
statements, only a decidable subclass of first-order formulae can be used. In fact, 
for our purpose, it suffices to generalize only the “classical part” of their system, 
but the “complementary part” remains propositional. It is straightforward to 
check that the soundness and completeness results given in [5] hold for our 
version of the calculus as well. 

We will introduce now this slightly generalized calculus for circumscription, 
called CIRC*. 

In the remainder of this paper, we use upper-case Greek letters (possibly 
with subscripts) in the following way: F and O shall denote finite sequences of 
propositional formulae, S shall denote finite sequences of propositional atoms, 
and A shall denote finite sequences of closed first-order formulae. Furthermore, 
P and R shall always represent finite sets of propositional atoms. 

For a sequence s of formulae, the expression s stands for the set of elements 
of s; the empty sequence will be denoted by e. 

Definition 3. 

1. An anti-sequent is an ordered pair of the form F \/ 0. 

2. A circumscription sequent is an ordered 5-tuple of the form S; F \~p.R A, 

provided that (P U if) Cl i? = 0. □ 

The sequence S occurring in a circumscription sequent 17; F Fp./j A is intro- 
duced for technical reasons only; its elements are called constraints. 

Definition 4. 

F An anti-sequent F \/ 0 is true iff there is a first-order interpretation such 
that the classical sequent F \- 0 is false. 

2. A circumscription sequent F7; P bp.p A is true iff for any (P U S;R)- 
minimal model M of F satisfying E, at least one element of A is true in 
M. □ 

Obviously, P 1 / 0 is true iff P h 0 is invalid, and e; P \~p.R Ai, ..., An is 
the syntactical counterpart of P \=p-,r Ax y ... y An . 

The complementary sequent calculus LKq is defined as follows. The axioms of 
LKq are anti-sequents of the form <P \/ F, where F and F are finite sequences 
of propositional atoms such that FC\F = %. The inference rules of LKq comprise 
the logical rules and the structural rules, which are given below. 
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System LKq; Logical Rules 

ri,A,T2,B,r3 V o 

ri,{A A B),r2,r3 \/ o 



r [/ 01, A, 02 

r \/ 01 , {A A B ),02 



Arl' 



r [/ 01, A, 02 
r \/ 01 , {B A A), 02 



Ar; 



r^,A,B2 V 0 
ri,{A V b),B2 V 0 






r„A,B 2 [/ 0 
Bi,{B V A),B2 0 






r 1 / 0 \,a, 02 ,b, 0 ^ 

r [/ 01 , (A V b),02,0^ 



Vr’' 



Bi,B 2 \f 0 \,A ,02 

ri,{A ^ b),B2 1/ 01,02 



n,B,r 2 [/ 0 
BuiA ^ B),B 2 1 / 0 



Bi,A,r 2 1 / 0 i,B ,02 
Bi,B 2 1/ 01 , (A — 7> B ),02 



A, 1^2 01 ,A ,02 a, a, a ^ 01,02 , 

ri,^A,B 2 [/ 01,02 A, A 01 ,^A ,02 



System LKq; Structural Rules 

CONTRACTION 

r^,A,B2,A,r^ \/ 0 r \/ 0 ^,a,02,a,0^ ^ 

^^,A,^2,^^ \/ 0 r \/ 0 ^,a,02,0z 

Observe that these rules bear a close resemblance to their classical counterparts, 
except that each binary rule of LK gives rise to two rules in LKg. Intuitively, 
we can say that what is exhaustive search in the classical calculus becomes 
non-determinism in the complementary calculus. If read from bottom to top, 
an LKp-proof corresponds to the (successful) construction of a counterexample, 
given by its (unique) axiom. 

Theorem 1 ([2]). The anti-sequent T \/ 0 is provable in LKq iff it is true. 



Corollary 1 ([2]). The anti-sequent T \/ 0 is provable in LKq iff the classical 
sequent T \- 0 is not provable in LKp. 
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The length of an LKp-proof is defined analogously to the classical case, i.e., 
as the number of anti-sequents occurring in it. 

Next we define the circumsciption sequent calculus CIRC*. It consists of clas- 
sical sequents, anti-sequents and circumscription sequents. Furthermore, it in- 
corporates the systems LK for classical sequents and LKq for anti-sequents. The 
additional inference rules for circumscription sequents are given below. 

System CIRC*; Logical Rules 

1 / q s,r \- A 

Si,q,^2;ri,r2 A ^ s-,r \~p;r a ^ 

^1: Q, 1^2', ^i, F2 \-p-R Ai Si, S 2 ', rij~'q, F2 P-R A 2 

^l,^2',ri,F2 l“pu{9};fl 



^',ri,r,F2 \-p-R Ai S; Fi,-'r, F2 \~p-r A2 

S\Ti,F 2 l-p;pu{r} ^1,^2 

For the rule Ci, the propositional atom q must be present. 

System CIRC*; Structural Rules 

CONTRACTION 

^ 2 ,q, ^ 3 ', r I-P;P A S; Fi,A,F 2 ,A,F 3 \~p-r A 

^ 2 , ^ 3 ] r \-p-R A ^ S;Fi,A,F 2 ,F 3 \-p-R A ^ 

\-p-R Ai, A, A2, A, A3 ^ 

\-p-R Ai, A, A2, A3 

Let us give a brief explanation of these rules. The rules Ci and C 2 represent 
two opposing situations how circumscription sequents can be introduced; for 
rule Cl it holds that if its premise is true then its conclusion is vacuously true, 
while rule C 2 states that classical entailment implies minimal entailment. Rule 
C 3 distinguishes the case when a minimized atom q is either true or false in 
a minimal model; similar considerations apply for rule C 4 and a fixed atom r. 
Incidentally, the latter rule implements a variant of the atomic cut rule, restricted 
to propositional variables from the fixed atoms R as cut formulae. 

Theorem 2 ([5]). The circumscription sequent S;F \~p-r A is derivable in 
CIRC* iff it is true. 

As ususal, the length of a proof in CIRC* is the number of sequents occurring 
in it (and this includes a fortiori the length of the LKp-proofs for anti-sequents 
occurring as premises in applications of rule Ci, and the length of LK-proofs of 
classical sequents occurring as premises in applications of rule 02 ). 
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Ci(a,/3,7) := 3z (p(a,/3,z) A p{z,!3,'y)) 
C2(a,/3,7) := {p{y,bo,a) A C'i(/1, y, 7)) 

C := VmVwVui {C 2 {u,v,w) p{v,u,w)) 

Bo{a) ~ 3vo p{bo,a,vo) 

Bi+i{a) := 3ui+i (p(6o, a, Ui+i) A Bi{vi+i)) 
Ao{a) := Vwo3uo p{wo, a, vo) 

Ai+i(a) := Vwi+i {Ai{wi+i) ^i+i(wi+i, a)) 
Ao{a, 5) ~ 3vo p(a, S, vo) 

Ai+i{a,S) ■— 3vi+i {Ai{vi+i) A p{a,5,Vi+i)) 



Fig. 1. Abbreviations used in the following. 



3 Main Result 

In this section, we show how circumscription can speed up proofs. We use a 
sequence of formulae for which Orevkov [24] showed a non-element ary lower 
bound on proof length in (cut-free) LK, but which possess short LKcut-proofs. We 
show that these short LKcut-proofs yield short CIRC*-proofs if the cut formulae 
can be derived by applying circumscription rules, but any such CIRC*-proof 
without circumscription has a non-elementary lower bound on proof length. 

Definition 5. Let Fk occur in the infinite sequence of formulae (Ffc)feeiN where 
Fk :=V6((Vwo3wo p{wo,b,vo)/\ 

yuvw {3y {p{y,b,u) A 3z {p{v,y,z) A p{z,y,w))) -)> p{v,u,w))) 

(p{b,b,Vk) A 3vk-i {p{b,Vk,Vk-i) A... A 3uo p(6, Wi, t^o) ■ • ■)))• ^ 

Intuitively, p{x,y,z) represents the relation a; 3- 2^ = z, and Fk “computes” 
certain numbers using a recursive definition of this relation. 

Abbreviations shown in Figure 1 are used in the following in order to simplify 
the notation. Using these abbreviations, Fk looks as follows: 

Fk = V& {{Ao{b) AC) ^ Bk{b)). 

The formulae Fk {k G N) have the following properties with respect to proof 
length. 

Proposition 1 ([24]). Let {Fk)k^iN be the infinite sequence of formulae defined 
above. 

(a) There is an LKcvLt-proof ^fk of h Fk such that < ci • fc 3- C 2 , for some 
constants ci , C 2 . 

(b) For any (cut-free) LK-proof a of h Fk it holds that jaj > 2-s(k) 3- 1. 
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Thus, eliminating the cut yields a non-elementary increase of proof length. 



In the following, we need the short LKcut-proof 'ipk of h Fk- However, we will 
not present ipk in all details but sketch the proof stressing the relevant details. 

There are two kinds of cut-free LK-derivations, namely [3k and Sk(t), which 
are relevant in the following. The cut-free LK-derivations [3k and Sk{t) have end 
sequents Ho(6o), C* h Ak{bo) and Ao{bo),C,Ak{t) h Bfc(t), respectively. Then, 
the LKcut-proof i[^k is as follows: 



f3k 



3k{bo) 



Ao{bo),C h Bk{bo) 
h V5((Ho(6) AC) ^ Bk{b)) 



cut, cl, cl 



All, AI 2 , cl, — >■ r, Vr 



The derivation of h Fk in LKcut discussed so far has one application of 
the cut rule where the cut formula Ak{bo) has a free variable. 

Definition 6. Let Flk {k G IN) be formulae of the form 

Hk ■= (Vx (Ak{x) -G q)) — >■ Fk, 



where q is a propositional atom which does not occur elsewhere in Ai{x) or Fi 
(0<i<k). □ 

An LKcut -derivation of h Flk is obtained from the derivation of h Fk in 
LKcut presented above by simply adding a wl inference with weakening formula 
Vx (Ak{x) -G q), followed by an — >■ r inference. 



[3k 



bk{bo) 



Ao{bo),C h Bk{bo) 
h V6 {{Aoib) AC) ^ Bk{b)) 



cut, cl, cl 



All, AI 2 , cl, — >■ r, Vr 
wl, -G r 



h (Vx (Afc(x) ^ q)) -G V& ((Ao(6) A C) ^ Bk{b)) 

Clearly, the length of this proof is also linear in k. 

In contrast to this short LKcut-derivation, any derivation of the same end 
sequent in LK has length which is non-elementary in k. 



Lemma 1. Let a be an LK-proof of h Hk {k G IN). Then the length of a is 
greater than c ■ s{k), for some constant c. 



Proof. There are two possible inferences by which the formula Q := (Ak(t) -G q) 
can be introduced into a (where t is some term), namely wl and -G 1. Also, there 
are only two possible inferences by which the formula Q' := Vx (Afe(x) -G q) 
can be introduced, namely wl and VI. Without loss of generality we assume 
that a contains no weakenings of the latter kind, because such inferences can be 
simulated by wl with weakening formula Q and an application of VI, resulting 
in at most doubling the proof length. 

We first eliminate all occurrences of Q introduced by — >■ L Then, all occurren- 
ces of Q introduced by wl are eliminated, together with all inferences introducing 
Q'. The resulting derivation, (3, is an LK-derivation of h Fk and, by Proposi- 
tion 1(b), the length of [3 is greater than 2 • s{k) + 1. Moreover, since |a| > \(3\, 
the lemma will be proved. The details follow. 
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Step 1. Q is introduced by — >■ /. Select the first — >■ I inference (with respect 
to some tree ordering) such that a\ and ai do not have an — >■ I inference 
introducing the formula Q. If there is no such inference, then go to Step 2. 
Otherwise, this first inference has the following form (Ji and I 2 are LK- 
inferences) . 



^ 02 

r h Ai,Ak{t),A 2 ill, <7,772 h A 3 

r,{Ak(t) — >■ (7), ill, 772 h Ai, A2, A3 

7 



Construct an LK-derivation of h 77^ of the following form: 



Q^o 






77(,77' h Z\' 2 

: wl,wr (*) 
77i, 772 h A 3 

: wl,wr (**) 

7^, 77i,772 I- ^i,Z\2;^3 

r,{Ak{t) — >■ <7),77i, 772 h Ai, A 2 , A 3 
7 



wl 



The derivation is obtained from 02 by omitting all weakenings introducing 
the formula q, and by omitting contractions upon q. 7^ is either I 2 or an 
inference occurring in a 2 - The length of the resulting derivation is not greater 
than |a|, because occurrences of q in 77i, II 2 , or A 3 are placed down to (*), 
and |ai| is not less than the number of wl and wr in (**). 

Replace all such — >■ I inferences without increasing the number of sequents, 
resulting in an LK-derivation where all occurrences of Q are introduced by 
wl. 

Step 2. Omit all wl introducing Q, and adjust the derivation by omitting all 
contractions upon formulae Q or Q' and all inferences using auxiliary formu- 
lae which contain the subformula Q. Since all occurrences of Q are introduced 
by wl, h Fk is derived. ■ 

The circumscription sequent we are interested in is 
Sk ■■= e;r ^ q \-q.tt Hk, 

where r is a propositional atom different from < 7 . 

In the following, we present a short CIRC*-proof of this sequent. We start 
with the classical derivation dk- This derivation includes the short LK-proof (3k 
described above. The LK-proof 'dfc is as follows: 
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Pk 

Ao{bo),C ^ Akibo) 

Ao{bo)AChA,{bo) qhq 

^ ^ ^ ^ wr^wr — — 

^o(^o) A C I- Bk{bo),r, Ak{bo) q,~'Q ^ 



Ak{bo) -A q,^q,Ao{bo) A C \~ Bk{bo),r 



Va: (Afc(a:) -)> q),~'q h Fk,r 
~^q h Hk,r 



q,-^q h Hk 



— y Ij cl 




According to Proposition 1 (a), \( 3 k\ is linear in k, hence |dfe| is linear in k. Con- 
sequently, the following result holds: 

Lemma 2 . Let <j)k be the C\RC* -proof of Sk = e',r — >■ q 1-^.0 Hk described 
above. Then \(j>k\ < di ■ k d2, for some constants di,c?2- 

On the other hand, deriving the formula Hk “classically” from the theory 
r ^ q in CIRC* is tantamount to deriving the circumscription sequent 

Ck := e; r q P 0;0 Hk 

in CIRC*. But the length of any CIRC*-proof of this sequent is non-elementary 
in k for the following reasons. The sequent Ck can only be derived in CIRC* by 
an application of the rule C2, using the classical sequent Wk := r ^ q h Hk 
as premise. However, it is easy to see that the additional implication r ^ q 
in the antecedent of Wk does not reduce proof length mainly because q is a 
pure atom in Wk, i.e., q occurs negatively only. To put it another way, by an 
argument similar to the proof of Lemma 1 , any cut-free LK-derivation of Wk 
can be transformed into an LK-proof of Hk without increasing the proof length, 
hence any LK-proof of Wk must be non-elementary in k. 

Lemma 3 . Any Cl RC* -proo/ 0/ Cfe := e;r — >■ q p0.0 Hk has length > c-s(fc), 
for some constant c. 

Let us examine the above short CIRC*-proof 4 >k of Sk in more detail. The 
important consequence of circumscribing q is the propagation of the literal -^q 
into the right upper sequent of the inference C3. This newly introduced literal 
-'q is used in the classical deduction as an “axiom partner” for the pure atom q 
in Wk- As a consequence, there is a sequent of the form 



Uk ■■= Ao{bo) A C \- Bk{bo),r,Ak{bo) 
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occurring in the classical proof Since Ak(bo) is the only cut formula in the 
short LKcut-deduction ipk of h Fk, the sequent Uk has a short cut-free derivation. 
Consequently, the proof above is also short. Of course, this argumentation fails 
for the “classical” sequent Ck, because q occurs in one polarity only. 

Theorem 3. There is an infinite sequence (i?fc)fceisr of first-order formulae for 
which the following holds. 

(a) There exists a Cl RC* -proo/ 0/ S'fc = e; r — i q h^.0 Hk whose length is linear 
in k. 

(b) The minimal proof length of Cf = e;r — >■ q 1-0.0 in CIRC* is greater 
than c ■ s{k), for some constant c. 

Not only does the proof length decrease non-elementarily, but also the size 
of the search space. The reason is the elementary relation between proof length 
and search-space size for cut-free sequent calculi. Hence, if circumscription is 
possible, the overall effort remains elementary, whereas the overall effort in the 
classical (monotonic) case is non-elementary. 

So far, we have considered Sk and Ck which are both derivable. Let us slightly 
modify these sequents by defining S'(, := e; r — >• q 1-^.0 H'j, and := e; r — >■ 
9 l”0;0 H'f., where 

H'k := Va; {Ak{x) —>■(;)—>■ F^., 

F^=V5((Ho(6) A C) ^ r). 

The sequent r — >■ g h is not classically derivable mainly because Ao{b) A C 
is a logic program without a goal and, therefore, is satisfiable but not valid. The 
sequent S'j^, however, remains derivable. This is easily checked by considering 
the LK-derivation 'dk- If we replace in this derivation the formula Flk by iL(., 
we obtain an LK-derivation id'f, containing a sequent of the form Ho(6o) A C h 
r,r, Ak{bo). However, we know that this sequent has a short classical proof, 
because Ao{bo),C h Ak{bfi) has one. Hence, the length of the whole deduction 
remains short. 

4 Conclusion and Discussion 

In most works, non-monotonic reasoning is studied with no relation to a particu- 
lar calculus. However, if non-monotonic techniques are embedded into automated 
deduction systems, the relative efficiency of the calculus becomes a crucial pro- 
perty. We used a cut-free sequent calculus for our analysis and showed that the 
presence of circumscription can tremendously simplify not only the proofs them- 
selves but also the search for proofs. Although circumscription is in the worst 
case harder than classical logic, our result demonstrates that the other way aro- 
und is also possible. After all, making things easier and not more complicated is 
a desired property when it comes to formalizations of common-sense reasoning. 
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Let us compare our result here with the result obtained in [10]. There, we 
used circumscription as a “preprocessing” activity to complete the precondition 
of the main connective in resulting in the first-order formula where 

Hk := (V6 {Ak{b) ^ q{b))) ^ Fk-, 

Hi := (V6 {Ak{b) O q{b))) ^ Fk. 

Then we estimated for both formulae the minimal proof length in analytic cal- 
culi,^ with the result that Hi has short proofs whereas Hk has non-elementary 
proofs only. The reason for the tremendous speed-up is the simulation of in- 
stances of the cut rule with cut formula Ak{bo) by the newly introduced defi- 
nition. In the circumscription process, the predicate q{-) is minimized while all 
other predicates and functions remain fixed. In contrast, the chosen circumscrip- 
tion in our sequent Sk minimizes the (propositional) predicate q but allows all 
other predicates and function symbols to vary. This is the main reason why we 
do not get the speed-up result for the classical counterpart of Sk in the “old” 
circumscription variant. Obviously, different variants of circumscription yield 
different behaviours with respect to proof length. 

Although the class of formulae used to establish our result is constructed 
in regard to show the best case for the speed-up, one should observe that even 
simpler and more natural examples may exist, which become easier to prove by 
considering additional (relevant) knowledge. 

In a related paper [11], we show that a generalization of Bonatti’s sequent 
calculus for default logic [3] allows a similar non-elementary speed-up of proof 
length. 
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Abstract. We generalize finite- valued modal logics by introducing the 
concept of distribution modalities in analogy to distribution quantifiers. 
Sound and complete proof search procedures are provided using prefi- 
xed signed tableaux. Examples indicate that our generalized concept of 
modalities is indeed needed to formalize different types of statements in 
contexts of “graded truth” and inconsistent or incomplete databases. 



1 Introduction 

Typical applications of logic in computer science - and Artificial Intelligence in 
particular - differ from mathematical applications (in the narrow sense) mainly 
in two aspects. First, one is urged to study not only classical or intuitionistic 
logic, but a very wide range of non-classical logics. Various applications trigger 
the invention and investigation of ever new logics, where ‘classic’ logics appear 
to narrow a basis for adequate formalization. Second, efficient proof search is a 
central pre-requisite for many applications. Usually it is not sufficient to find a 
logical formalism that allows to express salient features of the phenomena to be 
modeled. Rather one aims at the construction of programs that find proofs of 
corresponding statements. Whenever possible, also concrete decision procedures 
(not just proofs of decidability) should be provided. In this paper we want to 
contribute to both aspects of logic in computer science. We investigate a very 
broad family of many- valued modal logics and provide computationally adequate 
tableau-based proof systems for them. 

The idea to generalize possible world semantics to a many-valued context is 
not new. Modal logics based on three- valued logics have been studied in [24], 
[16], and [23]. Broader families of many- valued modal logics are investigated, 
e.g., in [25], [15], [19], [20]. Undoubtedly, the most advanced treatment of the 
topic consists in a series of papers by M.C. Fitting [7,8,9]. All authors con- 
sider the generalization of classical (i.e., two- valued) evaluation of formulas in 
possible worlds to many-valued evaluations. In addition, Fitting introduced a se- 
cond class of many-valued modal logics by making also the accessibility relation 
many-valued. Although we consider this second approach to be well motivated 
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and attractive, too, we aim here at a generalization and proof search theoretic 
consolidation of the first approach.^ 

The central motivation of our contribution is the following. We are convinced 
that various applications call for a broader understanding of “modality” that 
has not yet been fully captured to our best knowledge. All cited papers only 
consider rather straightforward counterparts of the classic modal operator □ 
(“necessarily”) and its dual O (“possibly”). However, our examples in Section 7 
intend to show that modal operators that do not correspond to such modalities 
arise naturally in different many-valued contexts. For this purpose we introduce 
the concept of “distribution modalities” (in Section 2.3). Moreover, we aim at 
a very general, uniform and modular representation. Prefixed signed tableaux 
as presented by Fitting in [6] turned out to be an almost perfect tool for this 
purpose. 

The paper can also be read as another exercise in the very topical subject 
of “combining logics”, most inspiringly propagated, e.g., by D. Gabbay (see also 
[2]). Indeed we like to view the introduced class of logics as the space of all 
possible combinations between the following three building blocks: 

— an arbitrary finite- valued “base logic”, 

— any Kripke semantics with standard accessibility relation, and 

— most importantly: an arbitrary (finite) collection of distribution modalities. 

Once the particular choice for these three parameters is made, a sound, complete 
and even optimized tableau based calculus for the corresponding logic can (in 
principle) be generated automatically using procedures like those implemented 
in the system Multlog [3]. The many- valued modal logics described in [25], 
[15], [19], and elsewhere appear as simple instances. Thus one can also see this 
work as a contribution to the exciting field of “logic engineering” (see, [17,18]). 

For sake of a concise and clear presentation we only describe propositional 
logics here. The generalization to the first-order level does not present any diffi- 
culties beyond those for the underlying many-valued and (standard) modal logics 
themselves. 

2 Logical Building Blocks 

2.1 Finite- Valued Logics 

Literature on many-valued logics abounds (see, eg., [11,21]). Here, we consider 
the class of all finite- valued propositional logics. A language £ for a finite- valued 
logic consists of countably many propositional variables and a finite number of 
propositional connectives, each of which has some fixed arity. (The arity may 
be 0; in that case the connectives are called truth constants.) £-formulas are 

^ We think that the work presented here can rather straightforwardly be extended to 
many-valued accessibility relations as well as whole collections of different accessibi- 
lity relations for single logics. However, to keep things reasonably simple we restrict 
ourselves here to the propositional case of the first approach. 
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defined as usual. A corresponding matrix M£ consists in a non-empty set of 
truth values N = {ai,...,a„} and an abstract algebra with domain N of 
appropriate type. For every n-place connective o of £ there is an associated 
truth table o: — >■ N. An interpretation /m is a matrix M together with 

an assignment of truth values to the propositional variables. The corresponding 
evaluation function is defined as usual. Thus any pair (£, M£) determines 
an m-valued logic L. Usually one also distinguishes a subset D oi N as “de- 
signated truth values” and defines formulas X as valid if G D for all 

interpretations /m- However, we consider the more general setting, where one 
is interested in proofs of statements of the form V/m: vi^{X) G A (or ^ A) for 
arbitrary formulas X and A G N. 



2.2 Normal Modal Logics 



The literature on modal logics is even more immense than that on many-valued 
logics. Our starting point are normal modal logics characterized by simple 
defining conditions on the accessibility relations of their Kripke semantics. 



Definition 1. A (Kripke-) frame is a pair {G,TZ) where G is a non-empty set 
of possible worlds and TZ is a binary relation on G ■ Members ofG will be referred 
to as possible worlds. A world A is accessible from F if FIZA. 

A valuation in a frame {G,TZ) is a mapping w : C/ x Var — {true, false}, 
where Var is the set of propositional variables. 

A (Kripke-) model M. is a triple (t/,7^, u) where {G,TZ) is a frame and v is 
a valuation in it. 

The usual language of classical propositional logic is enriched by a unary 
connective (modal operator) Let Form denote the set of all formulas over 
this language. 



Definition 2. The evaluation function corresponding to a model A4 is defined 
as an extension of the valuation v to a mapping vm • G x Form — >■ (true, false}.- 

1. VM(r, P) = v(r, P) for every variable P G Var and world P G G. 

2. vji 4 (P,o(Xi, . . . , Xm)) = o(v(P, Xi), . . . ,v(P, Xm)) for every classical con- 
nective o and its corresponding truth function o. 

3. vm(Pj I^-A) = true iff (VZ\ G G)PTZA implies vm(A,X) = true. 

Particular logics are characterized by certain properties of the accessibility 
relation. For sake of a concise presentation, which nevertheless allows to reco- 
gnize the generality of our approach we consider the following concrete logics as 
reference points of our generalizations: 
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L 


L-property 


serial 


K 


— 


no 


T 


reflexive 


yes 


K4 


transitive 


no 


KB 


symmetric 


no 


B 


reflexive and symmetric 


yes 


S4 


reflexive and transitive 


yes 


S5 


reflexive, symmetric and transitive 


yes 


D 




yes 


D4 


transitive 


yes 


DB 


symmetric 


yes 



A model is called L-model if its accessibility relation satisfies the L-property 
and is serial^ in the above table. 

2.3 Distribution Modalities 

As mentioned above Ostermann and others already have considered generaliza- 
tions of standard modal logics to a many-valued context. In the Definition 1 of a 
Kripke-model one only has to replace {true, false} by an arbitrary set of truth 
values N. An ordering on N, with true as maximal element and false as mini- 
mal element is assumed to reflect “grades ot truth”. The relevant step consists 
in generalizing the interpretation of the standard “necessity” operator □ from 

VM{r, DX) = true iff VZ\ : FIZA implies X) = true 



to 

VM{r,aX) = aiff ixii{vM{AX) \ A G g,mA} = a, 

for every truth value a G IV. In the corresponding definition for the dual “pos- 
sibility” operator O the supremum is taken in place of the inflmum. 

The semantics of the non-modal connectives is defined exactly as in Defini- 
tion 2. 

We want to use many-valued Kripke-models in a more general way. Instead 
of considering only “inf” and “sup” as basis for the definition of finite-valued 
modalities we suggest to investigate all functions from 2^ ^ N as candidates for 
determining the semantics of modalities. The examples, below and in Section 7, 
intend to demonstrate that modalities that do not arise as direct generalizations 
of □ ( “necessarily” ) or O ( “possibly” ) may be needed in different contexts. 

Definition 3. Syntactically, a distribution modality n is a unary connective. 
Given a many-valued (Kripke-)model A4 its semantics is determined by 

VM{r,tiX) = fi{{v{A,x) I (VZ\ G g) ruA}) 

A binary relation TZ is serial if Va;3j/ : xTZy. 



2 
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where fl is a function of type 2^ — >■ N. 

The name “distribution modalities” is suggested by the close relation of fi 
to the truth functions of distribution quantifiers (see, e.g., [5,13]). The truth 
value that is assigned to the formula p,X in a world T of a Kripke model Ai 
is determined by the distribution of truth values for X in the worlds that are 
accessible from T in Similarly, the truth value of QxA(a;) for a distribution 
quantifier Q is determined by the distribution of truth values over all instances 
of A(x). However, the analogy between quantifiers and modalities is not perfect. 
Whereas the domain of an interpretation is required to be non-empty, the set of 
accessible worlds may be empty (for non-serial logics). 



Example 1. Many, if not most, important applications of many- valued logics are 
induced by their interpretation as logics of graded truth or fuzzy logics. One 
singles out truth values, say t and /, as denoting “absolute truth” and “absolute 
falsehood”, respectively. The other truth values are intended to refer to inter- 
mediate grades of truth. A central notion in this context is that of “crispness”. 
Propositions are called crisp if they always evaluate either to t or to /. 

One can usually define a formula F\X] such that F evaluates to t iff its 
subformula X evaluates either to t or to /. However, observe that this fact is 
not sufficient to be able to claim that crispness can be expressed within the 
logic. After all, we only want to call a proposition crisp if its truth value is 
“absolute” with respect to any interpretation.^ To express crispness within the 
logic we propose to view it as a distribution modality which is added to the fuzzy 
logic of your choice. The following definition seems a reasonable choice for the 
interpretation of C as a modality, intended to express the property “crisp” of 
propositions: 



C(A) 



t if A = 0,{t},{/} or {t,f} 
f otherwise 



If the underlying logic allows to define a unary propositional connective df 
with df{a) = t iff a = t or a = f then we can alternatively use the standard 
necessity operator □ (in the sense of Ostermann) to express the crispness of a 
proposition X by □d/(A). 

However, one might prefer to interpret the statement “A is crisp” itself as 
a non-crisp statement. For example, let some subset N of the real interval [0, 1] 
containing 0 and 1 be the set of truth values, where 0 = / and 1 = t. Suppose 
N is closed under — and mean, where mean{A) denotes a suitable type of mean 
value of A C fV. Moreover, let A f := {a \ a < 0.5, a G A} and At := {a \ a > 
0.5, a G A}. Then 

C(A) = mean{At) — mean{Af) 

® In a fuzzy context, we hardly want to call the proposition “this is a fine day” crisp 
only because it was absolutely true for one of the authors of this paper on September 
6th, 1983. 
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could be a plausible candidate for the interpretation of CX as “X is crisp”. (C 
measures how “close” the distribution of truth values in the accessible worlds 
gets to t or /, respectively.) 

We do not claim that these examples contribute deeply to the logical foun- 
dation of fuzzy logic. But we hope that they enable the reader to see that the 
concept of distribution modalities opens a wide space of possible formalizations 
of natural properties of propositions at the object level that are usually only 
expressible at the meta-level. 

Definition 4. Given a finite set of truth values N , an N -valued logic with (nor- 
mal) distribution modalities is given by an arbitrary combination of three com- 
ponents: 

— a non-empty, finite set of connectives {oi,...,Oc} and corresponding truth 
functions {o^, . . . , 0 (,} 

— a standard property of the accessibility relation in Kripke-frames 

— a non-empty, finite set of distribution modalities {/ii, . . . , p-j} and correspon- 
ding truth functions {pi , . . . , pd} 

Again, one may want to round off this definition by designating at least one 
truth value. For our context only the following observation is of importance: 
Any truth functional concept of “tautology” or “entailment” can be reduced to 
questions about the status of prefixed signed formulas as defined in the next 
section. 



3 Prefixed Signed Tableaux 

In recent years, signed tableaux - i.e., tableaux where formulas are labeled by 
(sets of) truth values - became recognized as an almost ideal frame for proof 
search for finite-valued logics (see, e.g., [12,13]). Similarly, prefixed tableaux, 
as introduced by Fitting [6] referring to ideas of Kripke, are a very flexible 
tool for proof search in modal logics; in particular if one aims at generality and 
conceptional clarity. Considering finite- valued modal logics, what would be more 
natural than to combine these two versions of tableaux? 

Definition 5. A prefix is a finite non-empty sequence of positive integers. The 
concatenation of two prefixes a, r will be denoted by a ■ t. Let II be the set of all 
prefixes. 

A prefix t is a simple extension of a if t = a ■ (n) for some integer n. The 
K-accessibility relation TZ-k on prefixes is defined by: 

(V(J, T G n) alZicT T is a simple extension of a. 

For every L let TZj_, be the h-property-closure oflZ^. 

Prefixes are intended to name worlds of a model. This is made precise in the 
following definition. 
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Definition 6. Let S C II be a set of prefixes and let {Q,IZ,v) he an 'L-model. 
An L-interpretation in the L-model M={Q,IZ,v) is a mapping Im ■ S ^ Q 
from prefixes in S to worlds in Q such that 

alZi^T Im{o-)TZIm{t) 



for all a,T G E. 

Definition 7. A prefixed signed formnla'* is an expression of the form 
a: [a]\X or a*\A\X, where a is a prefix, a a truth value and A a finite set 
of truth values. Let PSF he the set of all prefixed signed formula. 

The intended interpretation of a: [a]: X is that X evaluates to a in the world 
denoted by a. The intended interpretation of a*:A:X is that X evaluates to 
some truth value in A in every world that is accessible from the one denoted 
by a. 

Definition 8. The relation between an L-interpretation Im into an L-model 
Xi={G,'R-,v) and prefixed signed formulas is defined by: 

Hl O': [a ]: a G E and v{Im{<^), X) = n, 

Im cr*:A:X a G E and {v{A,X) \ /^(cr)7?.Z\} C A. 

|=L is extended to sets S of prefixed signed formulas by: 

Im S (VZ e S) Im Z. 

A set S of prefixed signed formulas is L-satisfiable iff there exists an L-interpre- 
tation Im with Im Hl S. 

Definition 9. For a finite non-empty set E, T {E) denotes any labeled linear 
tree with \E\ nodes whose labels are exactly the members of E. 

Let T be a labeled tree, B a branch of T and suppose C = {Ei, . . . , Em} 
is a finite collection of finite non-empty sets. To extend B with C means to 
construct a new labeled tree by adjoining the trees T {Ei) , . . . ,'L {Em) at the 
leave node of B . 

Whenever there is no misunderstanding to be expected we identify a branch 
with the sets of prefixed signed formulas that label its nodes. 

Definition 10. A prefix a occnrs in S iff a: [a]: X G S or a*: A: X G S for 
some formula X , a G N , A C N . Let tt{S) be the set of prefixes occurring in S. 

We prefer to specify the tableau extension rules in a more general and ab- 
stract way than usual. For this purpose we first single out certain sets of sets 
of prefixed signed formulas that directly correspond to the truth functions of 
connectives and modal operators, respectively, if interpreted as disjunctive nor- 
mal forms (on the meta-level). 

We follow Fitting [6] in using this arguably oxymoronic expression. 




Tableaux for Finite- Valued Logics with Arbitrary Distribution Modalities 



163 



Definition 11. Let C = {Ei , . . . , En} he a finite eollection of finite non-empty 
sets of prefixed signed formulas. 

C is an analysis for Z = a: [a]: o(Xi, . . . , X^,) if the members of E^ (1 < f < 
n) are of form a: [6]: Xj (1 < j < m) and for all E -interpretations Im- 

Im |=l Z {3E G C) Im E. 

C is an analysis for Z = a: [a]: p,X if the members of the Ei (1 < i < n) 
are of form r: [6]: X or a*: A:Xand for all E-interpretations Im there exists an 
E -interpretation I'j^ with I'm{^) = such that: 

Im |=l Z {3E G C) I'm |=l E. 

The set of all analysis of Z is denoted by A{Z). 

As is well known from the literature (see, eg. ,[5,13,1]) one can easily com- 
pute an analysis for signed formulas lead by any truth functional connective. 
An example of a general schema for an analysis of a prefixed signed formula 
cr: [a]\o{Xi,...,Xm) is 

({fj. [uij. Xi ^ . . . , fj. [tty,^]. X^f I cx (ui, ■ • ■ , aA) ^ (^)}‘ 

For a prefixed signed formula of form a: [a]: fxX it is straightforward to check 
that 

{{ctoG [ai]:X, . . .,aa^-.[a.m]-X,a*:A:X} | A = {m, . . . ,a™} G fi~^ (a)}, 

is an analysis. (Here, the are pairwise distinct new prefixes.) 

A complete set of analysis for all types of signed formulas essentially consti- 
tutes a tableau calculus. 

Definition 12. Let S be a finite non-empty set of prefixed signed formulas. The 
set Tl{S) of all L-tableau for S is defined as the set of PSF -labeled trees that 
can he constructed by finitely many applications of the following rules: 

Initial Tablean Rule: A finite linear tree whose node labels are the prefixed 
signed formulas of S is an E-tableau for S. 

L- Tableau Extension Rules: If T is an E-tableau for S and Z occurs on a 
branch B o/ T then construct a new E-tableau for S by extending B with 
some C satisfying the following conditions depending on Z . 



z 


condition on C 


a: [a]:o{Xi,...,Xjn) 


C G A{Z) 


a: [a]: jiX 


C G A{Z), (Vr G 7 t(C)) t = a or t is an 
unrestricted simple extension of a 


a*:A-.X 


C = {{r: [a]: A"} a G A} , r G 7 t(B): aIZi,T 



Here, r is called unrestricted if it is not an initial segment of any prefix 
occurring on B. 
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Definition 13. A set S C PsF of tableau formulas is closed iff one of the 
following conditions holds: 





S contains 


and 


Cl 


cr: [a]: A, cr: [&]: X 




C2 


a: [a]: 0 


0 is a constant so that 0 yf 0 


C3 


cr: [a]:o(Ai,...,A„,) 


01 

1 

II 


C4 


cr: [a]: p,X 


fi-^ (a) = 0 


C5 


cr*:0: A, r: [a]:Y 


r is h-accessible from a 



S is atomically closed iff C\ holds for a propositional variable X or C2 
holds. An h-tableau branch B is closed if the set of tableau formulas occurring 
on B is closed. A branch is called open if it is not closed. An 'L-tableau is closed 
if every branch is closed. 



Definition 14. A tableau T is called h-satisfiable if it has at least one L- 
satisfiable branch. 



4 Soundness 



The soundness proof closely follows Fitting’s corresponding proof for classical 
prefixed tableaux (§8,jJ3 in [6]). 

Lemma 1. Let T be h-satisfiable and suppose T' is created from T by an ap- 
plication of an h-tableau extension rule. Then T' is also h-satisfiable. 



Proof. T contains at least one L-satisfiable branch B. Let I_m be some L- 
interpretation with B. If any branch different from B is extended to 

construct T' then B is unchanged and hence is still L-satisfiable. 

Now suppose branch B is extended by applying a L-tableau extension rule 
to some prefixed signed formula Z € B. We have to consider three cases. 



Z = cr.[a]:o{Xi,...,Xm). Then B is extended by C G A{Z). Obviously 
Im Z. Hence, by definition of an analysis, there is an if G C such that 
Im l=L E. Therefore B' := B U if is a branch of T' with Im |=l B'. 



Z = a\ [a]: p,X. Then B is extended by C G A{Z), where all prefixes occurring 
in C are unrestricted simple extensions of a. Obviously Im Z. By definition 
there is an L-interpretation I'j^ and an if G C such that I'm E. Let B' := 
B U if. Hence 7t(B') = 7t(B) U tt{E). All prefixes occurring in E are unrestricted 
for B or equal a. Therefore 7t(B) O tt{E) C {a}. Now we define a mapping 
/^i^BO^iiby: 



I'Mr) 



Im{t) if t G 7 t(B) 
/^(r) if T G tt{E) 



I'm is well-defined since 7 t(B) O 7r(if) C {a} and /at(o') = Finally it is 

an easy matter to check that I'm is an L-interpretation with I'jff |=l B'. 





Tableaux for Finite- Valued Logics with Arbitrary Distribution Modalities 



165 



Z = a*'.A\X. T is a prefix occurring in B with aTZj_,T. B is extended by 
C = {{r: [a]:X} | a G A}. aTZi^r implies From this and Im h=L 

Z, that is {v{A,X) \ A gQ, IJ^ 4 {a)^ZA} C A, we conclude that there must be 
an a G A with X) = a, i.e. I_m t: [a]:X. But then /_a4 |=l B' := 

B U {r: [a]: X}. Therefore B' is an L-satisfiable branch of T'. 

Theorem 1 (Soundness). Let S he a finite non-empty set of prefixed signed 
formulas. If there is a closed 'L-tableau for S then S is not h-satisfiable. 

Proof. Let T be a closed L-tableau for S and suppose S is L-satisfiable. Then 
the initial tableau Tq of T is L-satisfiable. By Lemma 1 every extension of Tq 
is L-satisfiable. Therefore T is L-satisfiable. But it is easy to see that a closed 
L-tableau can never be L-satisfiable. 

5 Completeness 

Again, the proof follows ideas of [6]. I.e., a model is extracted from a branch 
that is left open by a systematic proof search procedure. 

Definition 15. A set S C PsF of prefixed signed formulas is L-downward 
saturated ijf the following conditions hold: 

1. S is not atomically closed. 

2. Z = a: [a]:o{Xi,...,X,n) G 5 ^ (3C G A{Z)) (BE gC) ECS. 

3. Z = a: [a]:p.X G S ^ (BC G A{Z)) (BE gC) ECS. 

f. a*: A: X G S ^ (Vr G tt{S): aTZ-Lx) (3a G A) r: [a]: X G S 

Lemma 2. If S is L-downward saturated then S is L-satisfiable in an L-model 
whose possible worlds are simply the prefixes occurring in S. 

Proof. Suppose S is L-downward saturated. Construct an L-model as follows. 
Let G := tt{S) be the set of prefixes that occur in S and let TZ be the restriction of 
TZi, to Q. For all logics L- except possibly those where the accessibility relation 
is of type D, D4 or DB - {G,TZ) is an L-frame. G might contain worlds a, 
for which there is no t with uTZt. This means that {G,TZ) need not be an L- 
frame if L is based on a serial, but not necessarily reflexive accessibility relation. 
However, it is easy to check that we obtain a proper frame if we augment TZ by 
{(cr, (t) I -i(3t G G)o-TZt}.^ Let 

v{„.p) -.= h 

I ao otherwise 

where oq is an arbitrary element of iV. u is well-defined since S is not atomi- 
cally closed. Hence M = (G,TZ,v) is an L-model. Obviously, the identity map 
— >■ G, Im{^) ■= O’) is an L-interpretation in A4. Finally, it is easy to 
show by induction on the degree of the formula in Z: 

Z G S ^ Iji4 ^ Z 

for every prefixed signed formula Z. Therefore Im H 
This corrects a minor error in [6]. 



5 
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Theorem 2 (Completeness). Let S be a finite non-empty set of prefixed sig- 
ned formulas. If S is not h- satis fiable then there is a closed 'L-tableau for S. 

Proof. Analogous to Fitting’s proof of Theorem 6.2 in §8 of [6]. 



6 Optimized Rules 

We have presented not just particular tableau calculi for particular logics, but 
have described a broad class of such calculi in a uniform and abstract manner. 
Depending on the choice of the analysis - in the sense of Definition 1 1 - for a 
given connective and truth value - we obtain different rules, that may be of very 
different complexity. By complexity we mean the number of new branches (and, 
secondarily, of formulas on this branches) that are introduced by an application 
of the rule. For actual proof search one obviously wants to keep this “branching 
degree” as small as possible. For the case of many- valued connectives and quan- 
tifiers this optimization problem is well investigated (see, e.g., [22], [1], [14]). 
R. Hahnle [13] discovered, that - for standard connectives - drastic reductions 
of the branching factors can be gained by taking sets of truth values instead of 
single truth values as signs of formulas. In fact, we made use of this fact in the 
case of prefixed signed formulas of type a*: A: X. 

The important point here is that, after fixing the set of connectives and the 
set of possible signs, optimal rules can be computed by suitable programs.® 

The strong analogy between distribution modalities and distribution quanti- 
fiers allows us to apply the same optimization techniques. (The case of non-serial 
logics where the empty distribution is allowed - in contrast to quantifier distri- 
butions, were this is excluded - does not pose principal problems.) 

There are still many interesting open questions concerning the “right” choice 
of sets of signs for given (families of) logics. Fortunately, these optimization 
problems are largely independent from our subject. Here it suffices to remark 
that for implementations of our proof method, one should certainly employ the 
sets-as-signs paradigm and the various optimization algorithms cited above. 



7 Examples 

7.1 Expressing Crispness 

We already outlined in Section 2.3 how distribution modalities can be used to 
express “crispness” within a logic of graded truth. Having presented a generic 



In the current version Multlog only computes optimal conjunctive normal forms. 
The disjunctive normal forms needed for tableaux can be read of from Multlog’s 
output if one specifies the “complementary” logic as input. 
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tableau calculus for such logics in the previous sections we are now in the posi- 
tion to demonstrate how a concrete statement about “crispness” can be proved. 
For this purpose we choose the three- valued Godel logic [10] as a base logic that 
allows to evaluate statements to true (t), false (/), or intermediate (u), respec- 
tively. The truth tables for the standard connectives A, V and D are as follows. 





— 1 


A 


f U t 


V 


f U t 


Z) 


f ut 


/ 


t 


7 


fff 


7 


f U t 


1 


t t t 


u 


f 


u 


f uu 


u 


u ut 


u 


f 1 1 


t 


f 


t 


/ U t 


t 


t t t 


t 


f ut 



We augment this logic by the distribution modality C, where CX is intended 
to denote the statement “X is crisp”; or, more exactly, the statement “In all 
possible worlds X evaluates either to t or to / (but not to the intermediate 
value)”. The truth function C is defined by: 



C(A) := 



t if A = 0,{t},{/} or {t,fj 
f otherwise 



Optimized tableau rules for the distribution modality C are given by: 



[f]--CX 
t: [m]: X 
a: [uj: CX 
closure 
cr: [t]:CX 



where r is an unrestricted simple extension of a 
closure rule C 4 (C~^(u) =0, see Definition 13) 



a*-.{t,f}-.X 



Tableau rules for the connectives A and D used in the sample proof below 
are given by: 



a: [uj: {X D Y) 
cr: [fj: X 
a: [u]-.Y 



cr: [uj: {X A Y) 
a:[t]:X a\[u]\X a\[u]\X 
a:[u]:Y a\[u]\Y a\[t\.Y 



Remark. We used Multlog [3] to compute these rules. 

To fix the appropriate conditions on the prefixes in applying the rules we have 
to choose defining properties for the accessibility relation. We choose a K-type 
relation; i.e., no restriction is imposed on accessibility. 

Let us prove that the statement that “the disjunction of any two statements 
implies that both statements are crisp” is itself a crisp statement. Our modal 
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extension of Godel’s logic allows us to express this sentence by the rather simple 
formula 

C((XVF) D (CX ACr)). 

To prove that this formula is valid - i.e. t in all models - we have to find closed 
tableaux for the prefixed signed formulas 

(!):[/]: C((Xvr) D (CX A CF)) 

and 

(1): [u]:C{{X V F) D {CX A CF)). 

In the second case, the rule for C and u leads to immediate closure. For the first 
case we get the following: 



(1) (1):[/]:C((XVF)d(CXACF)) 


(2) (1,1): 


o 

< 

n 

> 


(3) (1,1): 


[t]:{XVY) 




(4) (1,1): 


[u]:(CXACF) 




(5)(l,l):[t]:CX 


(7) (1,1):M:CX 


(9) (1,1):M:CX 


(6)(1,1):H:CF 


(8) (1,1):M:CF 


(10) (l,l):[t]:CF 


closure 


closure 


closure 



Comment. Line (2) is obtained from line (1) by the rule for C and /. 
Lines (3) and (4) are obtained from line (2) by the rule for D and u. Lines (5) to 
(10) are obtained from line (4) by the rule for A and u. The left branch closes by 
applying the rule for C and u to line (6). The right branch closes by applying the 
rule for C and u to line (9). The branch branch in the middle closes by applying 
the same rule to either line (7) or line (8). 

Remember that we did not impose any restriction on the accessibility rela- 
tion. Therefore we have shown that C((X V F) D {CX A CF)) is valid in all 
(normal) extensions of Godel’s logic with modality C. 



7.2 Making Belnap’s Logic Reflective 

Belnap’s four-valued logic [4] has repeatedly been suggested as a tool for reaso- 
ning about (possibly) inconsistent and incomplete information. The main intui- 
tion in this context is that a database may not only contain information that a 
certain statement is false or true, but such information may either be absent or 
over-determined in the sense that both, true and false, is assigned to some sta- 
tement. The four possible states of knowledge are represented by the four truth 
values / {false), u {undetermined), ^-{inconsistent) , and t {true), respectively. 

The truth functions for connectives A, and V are defined by: 
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If, for every truth value o, we add unary connectives such that JaX eva- 
luates to t iff AT evaluates to a, and to / otherwise, we can express inconsistency 
and under-determinedness within the language. However, observe that we still 
cannot “reason” within the logic about inconsistent or incomplete databases in 
a strong sense. For this it should be possible to express statements like 

(a) the status of the database entry X remains stable under all possible updates, 
or 

(b) X can never get over-determined or under-determined, or 

(c) possible updates only add but never remove information about the truth 
of X. 



Statements of this type become expressible if we “modalize” Belnap’s logic. 
More exactly, we identify a database with a possible world in a Kripke-model. 
Accessible worlds represent possible updates. 

To express “stability” in the sense of the statement (a) we introduce the 
distribution modality Stable. We want to have: v{r, Stable(AT)) = t if for all 
Z\, A' , such that FIZA and FIZA, we have v(Z\, X) = v{A' , A"), and ^(T, X) = / 
in all other cases. Hence, the corresponding truth function is defined as follows: 



Stable(A) 



t A = 0, {/},{«}, {_L} or {t} 
/ otherwise 



Since StableAT is intended to reflect a meta-linguistic, and therefore classi- 
cal, statement about formulas of Belnap’s logic with the object-language itself, 
it is not surprising that we specified it to evaluate either to t or /. However, 
one may want to express similar “reflective” statements that can be under- or 
over-determined, themselves. Consider the following modality that is intended to 
capture certain intuitions about the “conservativity” of statements with respect 
to updates.^ 
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Con(A) 
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{/, t}, {f, u, t}, {/, _L, t}, {/, u, _L, t} 
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{-L}, {/, -L}, {-L, t}, {u, _L}, {/, M, _L}, {u, F t} 


_L 



^ We intend to clarify the semantical adequacy of this and many other types of distri- 
bution modalities for different many-valued base logics at another place. In particu- 
lar, we plan to specify modalities with respect to appropriate mathematical models 
of databases and not just intuitions about them. 
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The defining properties of the accessibility relation TZ determine the structure 
of possible updates. E.g., symmetry of TZ means that updates can always be 
revoked. If one wants to call the result of any sequence of updates also an update 
of the original database then TZ has to be transitive. If at least one update is 
possible for every database than TZ is serial, etc. 

Let us use our logical framework to investigate the stability of the claim that 
a statement is not conservative but stable (in the sense of Belnap’s logic enriched 
by the distribution modality Stable (stable) and CON (conservative) as defined 
above.) The corresponding formula \s F = Stable(-iConX A StableX). It is 
easy to find a model that evaluates F to false if the accessibility relation is not 
symmetric: 



t:X 




u-.X 


t: ConAT 




0 u: ConX 


f:^CONX (^ 




C^u-. -iCona: 


P. Stable^ 




t. StableX 


f-.G 


\ / 
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G: = -iConX a StableX 


/: StableG 





In contrast, a closed tableau for (1): [f]:F can be constructed if we require 
the accessibility relation to satisfy the S5-property. Such a tableau is easy to 
generate using rules that can be read off from the truth tables as indicated in 
Section 3. However, it is quite large. Its explicit construction is left as an exercise 
for the industrious reader or — even better: to the future implementation of our 
proof search procedure. 
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Abstract. A new completeness proof that generalizes the Anderson- 
Bledsoe excess literal argument is developed for connection-graph reso- 
lution. The technique also provides a simplified completeness proof for 
semantic resolution. Some observations about subsumption and about 
link deletion are made. Link deletion is the basis for connection graphs. 
Subsumption plays an important role in most resolution-based inference 
systems. In some settings — for example, connection graphs in negation 
normal form — both subsumption and link deletion can be quite tricky. 
Nevertheless, a completeness result that uses both is obtained in this 
setting. 



1 Introduction 

Robinson developed semantic tree arguments [12] to provide completeness pro- 
ofs for resolution and related inference systems. These arguments were not ent- 
irely transparent in that they do not directly construct a proof in the deduc- 
tion system. Rather, they work with an intermediate data structure — semantic 
trees. Some novices find the resulting proofs difficult to follow. The excess literal 
technique discovered by Anderson and Bledsoe [1], which is almost completely 
syntactic, is a considerable simplification. This technique, which is essentially 
an induction on the size of the formula, was the basis for the first completeness 
proofs of certain refinements of resolution. 

In this paper we continue work begun in [7,6] and describe how the excess 
literal technique can be adapted to provide concise completeness proofs for a 
variety of deduction methods including for some non-clausal systems. In addition 
to providing simplified proofs of known results the role of subsumption in non- 
clausal proof systems is discussed, and a completeness proof for non-clausal 
connection-graph resolution is obtained. 
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hin Schwerpunktprogramm Deduktion. 
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Kowalski [8] introduced connection-graph (eg) resolution in 1975. It keeps 
track of all links — complementary pairs of literals — occurring in a clause set and 
employs deletion of the links used in a resolution step to reduce the size of the 
search space. 

Fewer links made completeness questionable, and the semantic tree and ex- 
cess literal techniques seemed to be insufficient. After six years, Bibel [3] finally 
proved cg-resolution to be complete. The crucial advance he made was the no- 
tion of spanning and the observation that cg-resolution steps preserve spanning 
(see Section 3). His approach is similar in some respects to the one presented 
here, but it requires a non-trivial double induction and relies on the existence of 
refutations that must conform to an excessively rigid structure. 

Link deletion is sometimes possible with inference rules that do not rely 
on clause form. Path dissolution [11] and the tableau method implicitly delete 
links. Link deletion is also possible with semi-resolution [9], but proving that 
the spanning property is preserved is highly non-trivial. Some insight into link 
deletion in negation normal form is provided in Section 5.3. 

Stickel [13] defined and implemented non-clausal cg-resolution, but he did 
not give a completeness proof, suspecting that it “may be difficult.” Indeed, 
if one tries to generalize Bibel’s proof to the non-clausal case, one quickly fa- 
ces seemingly insurmountable technicalities. In this paper, a variation of the 
Anderson-Bledsoe excess literal technique is employed to prove completeness 
of non-clausal cg-resolution (Theorem 4). In addition, we show that the same 
technique can be used to provide simplified proofs of other (known) results. 

In Section 2, a variation of the Anderson-Bledsoe excess literal technique 
for proving completeness of resolution is described. The method is illustrated 
with a succinct, straightforward completeness proof for semantic resolution. In 
Section 3, the proof technique is used to provide a simplified proof of the comple- 
teness of clausal cg-resolution. Some new observations regarding cg-subsumption 
are also noted. Some prerequisites on NNF formulas are given in Section 4, and 
subsumption is generalized to NNF in Section 5.2. Completeness of non-clausal 
cg-resolution is then proven in Section 5.3. 



2 A Simple Completeness Proof for Semantic Resolution 

The work described here was inspired by the Anderson-Bledsoe [1] excess literal 
proof of the completeness of resolution. It is essentially an induction on the 
size of a sentence S. An interesting variation of their proof can be obtained by 
applying the induction to the number of distinct atoms that appear in 5. A good 
example is the proof below that semantic resolution is complete. Older proofs 
of this result are widely recognized as quite opaque. Bachmair & Ganzinger’s 
proof [2] is well structured, but does not yield a direct, syntactic construction. 

The proof here is for the ground case; it lifts in the usual way. We make the 
standard convention that a set of clauses is interpreted as the conjunction of its 
members, and that a clause is a set of literals, interpreted as the disjunction of 
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its members. Thus defined, duplicate clauses in a sentence and duplicate literals 
in a clause are automatically “merged” into one copy. 

Semantic resolution is defined with respect to a given interpretation I. Let 
5 be a set of clauses, and let T be the subset of S whose members are falsified 
by /. (Regardless of the choice of /, T is non-empty if S is unsatisfiable.) Let 
T = S — T. Obviously, I satisfies all clauses in T. 

To define semantic resolution, let N = {&i, . . . , 6„} U C be a clause in T in 
which / satisfies the bi’s and falsifies the literals in C, and suppose the clauses 
Bi, B 2 , ..., Bn are in T with bk € B^. Suppose further that for any b' € Bi~ {6^}, 
b' yf 1 < j < n. Then the clause R = C VJ (U"=i Bi — {6i}) is the semantic 
resolvent of the nucleus clause N and the satellite clauses Bi, . . . , B„. Obviously, 
I falsifies R. That R can be soundly inferred from N and the Bi’s can easily 
be seen by noting that a sequence of binary resolutions between N and the Bi’s 
produces R. Semantically, any interpretation that satisfies the parent clauses 
either satisfies one literal in C (and thus R) or else some bi. But then I falsifies 
bi and must satisfy Bi — {bi} (and thus R). Observe that hyperresolution may be 
regarded as a special case of semantic resolution by considering the interpretation 
that assigns false to every atom. 

We begin by recalling the pure rule: A literal in a set of clauses is said to 
be pure if its complement does not occur in any other clause. In that case, the 
clause containing the pure literal is also said to be pure. The proof of the next 
lemma is straightforward. 

Lemma 1 (Pure Rule). Let S be an unsatisfiable clause set in which the 
clause C is pure. Then S' = S — {C} is unsatisfiable. 

Lemma 2. Let S = {Co, Ci, C 2 , . . . , Cfc} be a minimally unsatisfiable set of 
clauses (i.e., no proper subset of S is unsatisfiable), and suppose Co = {p} U 
{< 71 , . . . , where n > 0. Obtain S' from S by deleting every occurrence of p 
in S. Then S' is unsatisfiable, and every minimally unsatisfiable subset of S' 
contains C(, = {qi , . . . , g„} but contains no clauses that contain p. 

Proof. Every clause in S' subsumes a clause in S, so S' is unsatisfiable. By the 
pure rule, any minimally unsatisfiable subset of S' cannot contain any clauses 
that contain p. Also, since S is minimally unsatisfiable, there must be an in- 
terpretation /o that falsifies Co but satisfies every other clause in S. Thus, Jo 
satisfies every clause in S' other than C'q. But then Cg must be in any minimally 
unsatisfiable subset of 5'. □ 

Theorem 1. Semantic resolution is refutation complete for propositional logic. 

Proof. Let S = |Ci, C 2 , . . . , Cm} be an unsatisfiable set of clauses. We assume 
that S is minimally unsatisfiable; otherwise, restrict attention to a minimally 
unsatisfiable subset. We must show that, given an arbitrary interpretation I, 
there is a refutation of S using semantic resolution with respect to I. 

Proceed by induction on the number n of distinct atoms in S. If there are 
none, then S contains the empty clause, and we are done. 
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So suppose that all unsatisfiable sets of clauses with at most n atoms can be 
refuted with semantic resolution, and assume that S has n + 1 atoms including 
the atom p. Let q = p ii I falsifies p, q = p otherwise. Since S is minimal, the 
Pure Rule implies that p cannot be pure, so both q and q occur in S. 

If S contains the unit clause {g}, fine; otherwise, remove all occurrences 
of q from S. This formula is unsatisfiable by Lemma 2. Consider a minimally 
unsatisfiable subset; by Lemma 2, every clause that had contained g in 5 is in 
this set and no clause containing q is present. By the induction hypothesis, there 
is a refutation TZq by semantic resolution. Now apply that refutation to S; call 
the resulting refutation TZ'^. The effect is to reintroduce q into some clauses, so 
that, with merging, the clause {g} rather than the empty clause may be produced 
by Tl'q. 

Nevertheless, each step is a semantic resolution step. The reason is that I 
falsifies q, and so, by reintroducing g, the membership in or 'T of the resulting 
clauses is unchanged. Also, none of the clauses containing g are resolved upon, 
and the result is either the empty clause^ or the clause {g}. This clause is the 
last semantic resolvent and is in T . 

Analogously, if we begin by deleting g, a refutation TZ-q by semantic resolution 
can be found. Let the proof that results from applying TZq to S be denoted by 
TZ!^. This proof yields either the empty clause or the unit {g}. However, it may 
not be a semantic resolution proof with respect to I, because reintroducing g into 
a member of T produces a clause satisfied by / and thus in T. But a semantic 
resolution proof can be constructed from TZJ- using the unit {g} derived by TZ!q. 

Consider an arbitrary step in TZq with nucleus iV = {6i, . . . , 6„, ci, ..., Cm} 
and satellites Bk & T with bk & Bk,l < k < n. Suppose that g is reintroduced 
into some of these clauses. First, if g is in N, simply use {g} as an additional 
satellite, and it will be resolved away. If g is also reintroduced into some the 
resulting clause RfeU{g} is a member of B and cannot be a satellite. But we may 
first use it as a nucleus clause in a semantic resolution with satellite {g}, and 
the semantic resolvent is simply Bk- This in turn can be used in the step that 
employed nucleus N, and so that step is unchanged. Note that this construction 
assures that the last step that produced g in TZ'~ now produces the empty clause. 

Combining TZ'q and the modified TZ!^ produces the required semantic resolu- 
tion proof. □ 

The above induction is somewhat reminiscent of the Davis-Putnam-Loveland 
procedure [5]: Refutations are obtained from the induction hypothesis by remo- 
ving all occurrences of a given atom. A simplified completeness proof for connec- 
ted CNF tableaux can also be obtained with this technique [7,6]. 

3 Connection Graphs 

Let 5 be a set of clauses. A link in 5 is a pair of complementary literals from 
different clauses, and a c-path through 5 is a set containing exactly one literal 



^ In fact, this cannot happen because of minimality, but this is not really relevant. 
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occurrence from each clause in 5. A c-path may also be thought of as a maximal 
conjunction of literal occurrences in S and corresponds to a clause in a DNF 
equivalent of S. Any satisfying interpretation for S will satisfy every literal on 
some c-path of S. Obviously, if S is unsatisfiable, no c-path can be satisfied, and 
thus every c-path will contain a link. 

A link set containing every link in S is said to be full, and S is said to be 
spanned by a set of links C if every c-path of S contains a member of C. If S 
is unsatisfiable, then it is spanned by its links; note, however, that a link set C 
may span S and yet not be full. Intuitively, if C spans S, then C contains enough 
information to demonstrate the unsatisfiability of S. A connection graph for S 
consists of S along with a set £ of links from S; it is denoted G{S, £). We write 
Q when the clause and link set are obvious from context. We say that G (or S) 
is minimally spanned if removal of any clause and its associated links produces 
a graph that is not spanned. 

Example 1. Consider the connection graph G{S,£) with unsatisfiable clause 
set S consisting of C = {p,q\, D = {p,q\, E = {< 7 } and full link set £ = 
{{Pc,PD}}{9c>te}{9rote}}- Q is minimally spanned. 



3.1 The Pure Rule and Subsumption 

Care is required with links in a connection graph since a complementary pair of 
literal occurrences may not be in the link set. Thus, if p is a literal in the clause 
C, we often use pc to denote the occurrence of p in C. Care is also required 
for the notion of purity: Suppose G{S,£) is spanned and contains the clause 
C = Au{p}. Suppose further that no link in £ contains the literal pc- Then the 
literal occurrence pc and the clause C are said to be pure in G- The next lemma 
is the pure rule for connection graphs; its proof is straightforward. 

Lemma 3 (Pure Rule). Let G{S,£) be spanned and contain the clause C = 
A U {p}, where pc is pure. Then G' = G{S', £') is spanned, where S' = S — {C} 
and £' is the result of removing from £ all links that meet clause C. 

In the next lemma, and in subsequent developments, objects are removed 
from the clauses of a connection graph. In such situations, it is implicitly assumed 
that links associated with the removed objects are also removed. 

Lemma 4. Let S = {Cg, Ci, C 2 , . . . , C^} be a minimally spanned set of clauses, 
and suppose Cq = {p}U{( 7 i, . . . , q„}, where n > 0. Obtain S' from S by deleting p 
from Co, Then S' is spanned, and every minimally spanned subset of S' contains 
Cq = {qi,...,qn} but contains no clauses that contain an unlinked p. More 
generally, p may be removed from all clauses in S to produce a spanned set of 
clauses with one fewer atom. 

Proof. Removing a literal from a clause in S simply removes the c-paths con- 
taining that literal, so S' is spanned. By the pure rule, any minimally spanned 
subset of S' cannot contain pure clauses. 
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Observe that not all c-paths through 5 — {Cq} are linked since S is minimally 
spanned. Thus, there is a linkless c-path Pq through 5 — {Cq}. Since S is spanned, 
there is a link connecting every literal in Cg to a literal in Pq. Since Pq is also a 
c-path (without links) through S' — {C'q}, S' — {Cq} is not spanned, and C'q is 
in any minimally spanned subset of S' . 

Finally, successive applications of the first part of the lemma can be used to 
produce a minimally spanned set of formulas in which p has been completely 
removed. □ 

The classical notion of subsumption carries over to the connection-graph 
setting in a spanning-preserving manner [3] . It must be modified because a link 
set may not be full. Suppose connection graph Q{S,£) contains clauses C and 
D, and suppose that CCD] i.e., C “classically” subsumes D. For each literal pc 
in C, we denote by Lp^ the set of literal occurrences linked to pc in £. Suppose 
further that for every literal pc, 2 J^pd- Then we say clause C cg-subsumes 
clause D. 

Lemma 5 (Cg-subsumption). Suppose that t/(5,£) is spanned and contains 
clauses C and D, and suppose that C cg-subsumes D. Then Q'{S',£') is spanned, 
where S' = S — {D}, and C is the result of removing from C all links that meet 
clause D. 

We will subsequently investigate and further develop cg-subsumption. Howe- 
ver, the tools already described are sufficient to produce a quite elegant comple- 
teness proof for cg-resolution. 

3.2 Cg- Resolution 

To define connection graph resolution, let Q{S,L) be a connection graph con- 
taining clauses C = {p} U A and D = {p} U B. Suppose further that L con- 
tains the link L = {pciPd\- Then we may cg-resolve clauses C and D to pro- 
duce the connection graph Q'{S' ,C), where S' = 5 U {if}, E = A\J B, and 
C = C — {L}\J INH. The set INH consists of inherited links. Intuitively, each 
literal in E comes from one in C or from one in D and so inherits the links the 
corresponding literal had in the parent clause. When the same literal occurs in 
both parents, the occurrences are merged, and the resolvent inherits the links of 
both. Formally, 

INH = {{pe,Pq} I {pc,Pq} & Cor {pd,Pq} G C} 

Example 2. In t/(iS,£) from Example 1 we may cg-resolve clauses C and D via 
L = {pc^Pd} ^ith resolvent F = (gj and inherited link set INH = {{qpilE}}- 
The resulting link set C spans 5' = 5 U {F}, but Q'{S',C) is not minimally 
spanned, since {E,F} C S' is spanned by INH. 

The link set in the example is not full after only one cg-resolution step. 
Nevertheless, spanning is preserved. It is not difficult to prove but was quite 
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difficult to see; it was the key observation that Bibel made that led to the 
first completeness proof of cg-resolution. Below a new proof is presented that 
is included here because it is shorter and simpler than Bibel’s original proof, 
and because it will make it easier for the reader to follow the proof of the NNF 
case in Section 5.3. Note, however, that the new proof relies heavily on Bibel’s 
lemma: 

Lemma 6 (Bibel [3]). Suppose that a link in the spanned connection graph 
Q{S,£) is selected and cg-resolution produces the connection graph Q'{S',£'). 
Then Q' is spanned, i.e., S' is spanned by £'. 

Theorem 2. Connection-graph resolution is refutation complete for propositio- 
nal logic. 

Proof. Let G{S,£) be a connection graph spanned by £; we must show that 
there is a refutation of S using cg-resolution. We proceed by induction on the 
number n of distinct atoms in S. If there are none, then S contains the empty 
clause, and we are done. Otherwise, assume that all spanned connection graphs 
with at most n atoms can be refuted with cg-resolution, and suppose that S has 
n+1. 

If S is not minimally spanned, then restrict attention to a minimally spanned 
subset. Let p be any atom in 5; we begin by deriving the unit clause {p} from S. If 
S contains {p}, we have it; otherwise, by Lemma 4, we can remove all occurrences 
of p in 5, producing the spanned G'{S',£'). By the induction hypothesis, there 
is a refutation of S'. This refutation applied to S produces either the empty 
clause, in which case the proof is complete, or the unit clause p, as promised. 

The unit {p} cannot be pure because no occurrence of p in 5 was pure, and 
no resolution step involved any clause from S that contained p. In particular, 
there are no new clauses containing p. Let C = {p} U C" be a clause that is 
linked to p. The cg-resolvent of {p} and C is C", which cg-subsumes C since no 
link to C' has been deleted. Thus, a minimally spanned subset of the resulting 
connection graph is a spanned clause set in which the number of occurrences of 
p is reduced. 

We now iterate this process, successively reducing the number of occurrences 
of p while preserving the spanning property. Eventually a spanned graph with 
no occurrences of p is produced. By the pure rule, a minimally spanned subset 
contains no occurrences of p. Thus, we have a spanned connection graph with 
at most n distinct atoms. By the induction hypothesis, there is a refutation of 
the empty clause. □ 

Remark. In [3], Bibel uses a somewhat restricted inheritance rule to further 
reduce the number of links. The above proof applies with that inheritance rule 
virtually without modification. 

3.3 Cg-Subsumption 

In the proof of Theorem 2, we made rather straightforward use of cg-subsump- 
tion. The requirements on the links of the clauses involved are necessary to ensure 
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that spanning is preserved. In fact, whenever C subsumes D, C can be forced 
to cg-subsume D by performing enough cg-resolutions on D. For example, if the 
literal p occurs in both clauses, and \i po is linked to |7 b but pc is not, then 
cg-resolve on the {pD^PE} link. This deletes the link; with enough cg-resolutions 
involving a subsumed clause, excess links that disallow cg-subsumption can be 
deleted, and the subsumed clause will be cg-subsumed. 

This offers the advantage of deleting the subsumed clause, but the penalty is 
severe: A number of extra clauses are introduced into the search space. If these 
extra clauses turn out to be necessary for a proof, then the penalty is really no 
penalty at all. However, this seems unintuitive. On the other hand, if the extra 
cg-resolutions are avoided, the subsumed clause must be kept. 

There may be a better approach. Suppose that in connection graph Q, clause 
C subsumes clause D but does not cg-subsume D. Suppose further that for each 
literal pc in C such that Lp^ 2 ^pd j ^dd to Lp^ exactly those links required 
to ensure that Lp^ D . By cg-subsumption, D may now be deleted from the 
graph. We say that D has been removed by augmented cg-subsumption. 

First observe that augmented cg-subsumption preserves spanning. Adding 
links to the subsuming clause cannot harm the spanning property, nor can the 
subsequent removal of the cg-subsumed clause. However, we would like to know 
that we have left completeness unaffected and not increased either the proof or 
the search space. 

Investigation of the proof and search spaces is beyond the scope of this pa- 
per and left for future work. Completeness is, however, easily settled. First, 
cg-subsumption is a special case of augmented cg-subsumption; so the current 
proof of Theorem 2 goes through with the latter. But that proof could in fact be 
greatly simplified: All occurrences of literal p could be removed at once, and a 
derivation of (at least one) unit clause {p} results. All other clauses containing 
p are then deleted by augmented cg-subsumption. As a result, all clauses with 
p are either already pure or become so after being resolved with the unit. Then 
the unit is pure. Voila: The induction hypothesis provides a refutation. 



4 Negation Normal Form 

Formulas in negation normal form (NNF) are defined inductively: (i) Literals, 
true, false are NNF formulas; (ii) if iFi, . . . , iFm are NNF formulas, so are iFi A 
• • -AiPm and iFiV- ■ -yTm- We identify formulas that are equal up to associativity. 

The subformulas of an NNF formula Q are defined as follows: (i) Literals have 
only themselves as subformulas; (ii) if Q = iFio - ■ ■ o where o g {A, V}, then 
for any {A, . . . , i^} C {1, . . . , m}, Ti^ o • • • o Ti^ is a subformula of Q\ (iii) the 
subformula relation is transitive. 

If p and q are literals in an NNF formula T and if p G Q and q G 'H where 
t/ A "H is a subformula of IF, then p and q are said to be c- connected; if G and H 
are disjoined, then p and q are said to be d-connected. A link is a complementary 
pair of c-connected literals. Unless otherwise stated, we will assume that for any 
formula, the following simplification rules have been applied; in them, p is a 
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literal and S is an arbitrary formula. 

p\/---\/p = pA---Ap = p pV -ip = true p A ~<p = false 

S V false = S A true = S S A false = false S V true = true 

A c-path through .7^ is a maximal set of mutually c-connected literals, and 
a d-path through .7^ is a maximal set of mutually d-connected literals. The c- 
paths of a formula correspond to the clauses of one of its disjunctive normal 
form (DNF) equivalents. Similarly, the d-paths correspond to the clauses of a 
CNF equivalent. If tF = Q AH, and if P and Q are c-paths through Q and H, 
respectively, then PUQ is a c-path through .7^; it is denoted PQ. (If P and Q are 
d-paths through Q and H, respectively, then P and Q are each a d-path through 
P.) The next lemma (from [10]) is easy to prove. 

Lemma 7. A formula is satisfiable if and only if some c-path in it is satisfiable, 
and a c-path is satisfiable if and only if it does not contain a link. 

We use a set of NNF formulas to denote the conjunction of the its members. 
In particular, we assume the formulas in the set to be either disjunctions or 
literals. Thus, complementary literals residing in different formulas are in fact 
c-connected and constitute a link. Links may also reside within a single formula. 
As in the clausal case, a spanned set of NNF formulas is minimally spanned if 
removing any member produces a set that is not spanned. 

Our completeness arguments require the removal of syntactic objects from 
formulas in a spanning preserving way. This is more complicated for NNF for- 
mulas than it is for clause form, where all that is necessary is the removal of 
literal occurrences from the clauses in which they appear. One way to remove 
an object V from a spanned formula S to produce a spanned formula S-p is to 
remove all c-paths containing V. Since all c-paths of S contain a link, and since 
the c-paths of Sp will be a subset of the c-paths of 5, Sp will also be spanned. It 
turns out that a good choice for Sp is the c-path complement of V in S, denoted 
CC{V,S). We use a definition of CC{V,S) which is tailored to the special case 
required in this paper; for the general case, see [11]. 

Definition 1. Let H he a subformula of the formula Q. Then the c-path com- 
plement ofH with respect to Q, denoted CC{H, G), is the subformula that results 
from replacing H by false and making obvious simplifications. 

Alternatively, CC{H, G) can be simply characterized with the CE operator 
defined as follows. Let P be a subformula of an NNF formula G- The c- extension 
V, denoted CE{V) is the largest subformula of G of the form V A V . The d- 
extension is denoted DE{V) and is similarly defined. Observe that one of DE{V) 
and CE{V) must consist of P alone, and the other one cannot (unless P = V). 
The following Theorem is proved in [11]. 

Theorem 3. If P is a subformula of formula S then CC{P, S) = S — CE{V). 

The pure rule is valid for NNF formulas [11] but requires some care. In 
essence, the NNF equivalent of the clause containing a given literal p is DE{p). 
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Lemma 8 (Pure Rule for Negation Normal Form). If p is a pure literal 
in an unsatisfiable NNF formula S, then S — DE{p) is unsatisfiable. 

The previous lemma is adapted to the eg setting in a straightforward way: 
Lemma 9 (Pure Rule for NNF Connection Graphs). If p is a pure literal 
in a spanned NNF formula S, then S ~ DE{p) is spanned. 

Proof. Removal of DE(p) cannot harm spanning unless for some c-path Q, all 
the links on Q meet DE{p). We may write Q as Q'Qde(p)- Note that DE{p) is 
a disjunction, and Qde(p) is a c-path through one of its disjuncts other than p. 
But then Q'p is a linkless c-path through S, contrary to hypothesis. □ 

Lemma 10. Let S — {Eq,Ti,E 2 , ■ ■ ■ ,J^k} be a minimally spanned set of NNF 
formulas, and p a literal in Eq. Obtain S' from S by removing CE(p) for every 
occurrence of p in Eq. Obtain S" by applying the pure rule to S' (possibly 
repeatedly). E^ are the formulas in S' corresponding to Ei in S. 

1. Both S' and S" are spanned; 

2. E'q is a member of any minimally spanned subset of S' . 

Proof. 1. Removal of CE(p) removes c-paths from the formula (Theorem 3). 
Since S is spanned, every c-path contains a link, and that is unchanged; S" is 
spanned by Lemma 9. 

2. Let Po be a linkless c-path through {E\, . . . ,Ek\. Such a Pq must exist 
since otherwise S would not be minimally spanned. However, since S is spanned, 
every extension of Pq through Eq must contain a link. Since Pq is also an unlinked 
c-path through S' — E'q, S' — Eq is not spanned. Thus, any spanned subset of S' 
must contain E'^. □ 

5 Non-clausal Resolution 

We begin by providing a precise definition of non-clausal (NC) resolution on 
literals for NNF formulas. Let E and Q be arbitrary ground NNF formulas, 
where p is an atom occurring in both E and Q . We denote by E\pj fi\ the result 
of replacing all occurrences of p in P by j3. li (3 = true or /3 = false, we assume 
that simplifications are performed. Then the NC-resolvent of E and Q on the 
atom p is: 

P [p/false] V t/[p/true] . 



5.1 Polarity 

Although the definition above is symmetric with respect to E and Q, we have 
the following polarity restriction: 

If p occurs only positively in E or only negatively in Q , then we need not consider 
the dual NC-resolvent 

P[p/true] V t/[p/false] . 

The atom p occurs positively in E if it occurs as the literal p; p occurs 
negatively in E if it occurs in the literal p. Note that p may occur both positively 
and negatively in E . 
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5.2 NNF Subsumption 

In the discussion that follows, we will often refer to subsumption of d- and 
c-paths rather than of disjuncts and conjuncts. Paths are defined as sets of 
literal occurrences, but with regard to subsumption, we consider the literal set 
of a path P. In this way, no change in the basic definitions is needed. Clausal 
subsumption is generalized to the NNF case in a fairly straightforward manner. 

Recalling that the d-paths of a formula correspond to the clauses of a CNF 
equivalent, we say that T d-suhsumes T' if for every non-tautological d-path P' 
in iF', there is a d-path P in P, such that P C P' . The following lemma is easy. 

Lemma 11. Let S be an unsatisfiable set of NNF formulas in which T d- 
subsumes T' . Then S — {P'} is unsatisfiable. 

Clearly, if P d-subsumes P' , then P P' . There is a dual (but not equiva- 

lent) syntactic characterization of subsumption for NNF formulas. We say that 
P c-subsumes P' if for every non-contradictory c-path P in P, there is a c-path 
P' in P' such that P 3 P' . Of course, if P c-subsumes P' ^ then P \= P' . 

Lemma 12. Let S be an unsatisfiable set of NNF formulas in which P c- 
subsumes P' . Then S — {P'} is unsatisfiable. 

To see that neither of these subsumption rules capture implication comple- 
tely, consider Px = p, Pi = {pV q), P 3 = ((p V g) A (r V f)). It is easy to see 
that Pi implies both Pi and P'i. But P\ both d- and c-subsumes Pi\ P\ also 
d-subsumes Pz but does not c-subsume it. 

The conditions of Lemmas 11 and 12 are quite strong; they are in fact ne- 
cessary if we wish to delete an entire formula from a set of formulas. However, 
subsumption can more usefully be generalized further, so that more modest re- 
ductions can be captured. Lemma 13 below captures as a special case, Lemma 12. 
First, we define c-reduction for NNF formulas. 

Given formulas P and P' ^ suppose there is a subformula l~i' of P' , such that 
P c-subsumes 'H! . Then we say that P c-reduces P' via 'H' . 

Lemma 13. Let S be an unsatisfiable set of NNF formulas in which P G S 
c-reduces P' via "H'. Then Su< = (S — {P'}) U {P' — DE{%')} is unsatisfiable. 

Proof. Suppose interpretation I satisfies S-h' ■ Then I satisfies some c-path Pj of 
S, and Pj contains a c-path through P . If Pj does not meet DE{T~L'), then Pj 
is a c-path through S, and / satisfies S. 

If Pi meets DE{'H'), then Pi may be written PPde{h')Pj^j where Pde(W) 
is Pi restricted to DE{'H'), and Pj^ is Pi restricted to P. Since P c-subsumes 
7i', Pjr D P' , for some c-path P' of . Obviously, / satisfies the literals of P' 
and thus satisfies PP'Pyr. But this latter c-path is a c-path through S, and so I 
satisfies S. □ 

Of course, the dual notion of d-reduction is defined in the obvious way, and 
the dual of Lemma 13 holds. To adapt these notions to the connection-graph 
setting, it is most convenient to restrict attention to c-reduction. 
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Suppose T c-reduces T' via H'. Suppose furthermore that for each non- 
contradictory c-path P' in T~L' , each literal p is linked to a subset of the literals 
linked to occurrences of p on P D P' for some non-contradictory c-path P in T . 
Then we say that T cg-c-reduces T' via Ti! . 

Lemma 14. Let 5 be a spanned set of NNF formulas in which P G S cg-c- 
reduces P' via H'. Then S'h' = (S — {P'}) U {P' — DE{%')} is spanned. 

Proof. Suppose for some c-path P through S, every link on P meets DE{'H'). 
We may write P = P\Pde{h')Pj^^ where Pde(-h’) is the part of P in DE{'H') 
and Pjr is the part of P in P . Since P c-subsumes TL' , Pjr D P', for some c-path 
P' of T~L' . The c-path P\P' Pj^ is a c-path of S and contains a link. But this link 
must be to P' . But then Pjf is also linked to the same literal by the definition of 
c-reduction, contrary to the hypothesis that every link of P was to DE{'H'). □ 

As with augmented cg-subsumption for CNF formulas, we may define aug- 
mented c-reduction for NNF formulas. Suppose that in NNF connection graph 
Q, formula P c-reduces formula P' via %' but does not cg-c-reduce P' . Suppose 
further that for each literal pjr on c-path P^, corresponding to literal pj^' on 
c-path PjT' C Pjr, such that 2 we add to exactly those links 

required to ensure that Lp^ D Lp^,. We may now apply cg-c-reduction. We say 
that P' has been augmented cg-c-reduced. 

Of course, augmented cg-c-reduction preserves spanning. Adding links to the 
c-reducing formula cannot harm the spanning property, nor can the subsequent 
application of cg-c-reduction. As in the clausal case, we believe that completeness 
is unaffected, and neither the proof nor the search space have increased. As we 
have said, the NNF case is complex; an in depth investigation of completeness 
and of the proof and search spaces is beyond the scope of this paper and left for 
future work. In the next subsection, we do take some preliminary steps in this 
direction. 

5.3 Non-clausal Connection-Graph Resolution 

To define cg-resolution for NNF formulas, let Q{S,C) be a connection graph 
containing NNF formulas £ and P, and suppose the atom p occurs positively in 
£ and negatively in P . Suppose further that E contains a non-empty set L of 
links of the form {pstPe}- Then we may cg-resolve formulas £ and P to produce 
the connection graph Q'{S',C'), where 5' = 5 U {V.}, and 

H = £[p/idlse] V Pip/true] . 

The resulting set of links C is defined as follows: If p occurs only positively 
in £ and only negatively in P, then C — C — L\J INH ; otherwise, £' = £ U INH. 
The set INH consists of inherited links. As in the CNF case, each literal in TL 
comes from one in £ or from one in P and so inherits the links the corresponding 
literal had in the parent formula. Formally, 

INH = {{p-hPq} I {pePo} G £ or {pe,Pq} G £} . 
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Example 3. Consider the NNF connection graph consisting of four numbered 
formulas in Fig. 1. 

The graph is fully linked except for {p 2 ,P 4 }, 
which is not present. (In the figure to the right, 
links are denoted by arcs connecting the linked 
literals). The remaining links span the graph. 

If we cg-resolve on {ps^p^} (highlighted by 
the dashed arc), the resolvent is (false V (true A 
r)) V (false V q). Simplifying the latter yields 
(5) r V g. 

Observe that the activated link must not be 
deleted, because p has mixed polarity in (3). Fig. 1. NNF connection graph. 

The careful reader will have noticed that whenever the atom resolved upon 
has mixed polarity in either parent formula, no links are deleted. This may 
at first seem surprising; however, past studies have shown that link deletion 
in the NNF setting is complicated. See, for example, [10]. More to the point, 
this restriction is crucial to the spanning-preservation lemma below. To see this, 
consider again Example 3 (Fig. 1). If the activated link were deleted, the c-path 
{( 7 ]^,P 2 ,P 3 ,P 4 , ^’s} would be unlinked. In fact, successive applications of the Pure 
Rule would remove every formula from the graph, resulting in the (satisfiable!) 
empty conjunction. 

Lemma 15. Suppose that a link {ps^Pj^} between formulas E and T in the NNF 
connection graph C/(5,£) is selected and cg-resolution produces the connection 
graph 5'(5',£'). Then Q' is spanned, i.e.. S' is spanned by £'. 

Proof. If p occurs negatively in £ or positively in E, then no links are deleted 
and the result is immediate. Otherwise, let the cg-resolvent be denoted by H. 
Consider a c-path P through Q, for which the only links on P are in L. We must 
show that every extension of P through H is linked. 

Observe that the cg-resolvent PL is constructed as the disjunction of £' and 
E', where £' has all c-paths in £ that do not contain p, and E' has all c-paths 
in E that do not contain p. (All literals containing p are replaced by false, and 
this amounts to computing the c-path complement of those occurrences; see 
Theorem 3.) All such c-paths in PL have isomorphic c-paths in either £ or in E 
from which a link is inherited. 

More precisely, let P = P'PgPjr be a c-path containing only links of the 
form {pEiPj^}, which are deleted in the cg-resolution. Without loss of generality, 
extend P through £' in PL to PPu = P' PsPj^Ps' ■ Let P^ be the c-path in £ 
isomorphic to Ps'. Since Q is spanned, the c-path P'P^ Py^ must have a link to 
P^ . But this link is inherited on Ps'. □ 

Theorem 4. Non-clausal connection-graph resolution is refutation complete for 
propositional logic. 

Proof. Let G{S,C) be an NNF formula spanned by £; we must show that there 
is a refutation of S using cg-resolution. Proceed by induction on the number n 
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of distinct atoms in S. If there are none, then S contains false, and we are done. 
Otherwise, assume that all spanned connection graphs with at most n atoms can 
be refuted with cg-resolution, and suppose that S has n+ 1. 

If S is not minimally spanned, then restrict attention to a minimally spanned 
subset. Let p be any atom in 5; we begin by deriving the unit formula {p} from S. 
If S contains the unit {p}, fine. Otherwise, successive applications of Lemma 10 
produces a minimally spanned set of formulas S' in which all occurrences of 
CE{p) and DE{p) have been removed. 

By the induction hypothesis, there is a refutation TZ by cg-resolution. Were 
we dealing with clauses, we could argue that if TZ is applied to S, either false or 
the literal p would be derived. However, in the NNF case, this is not obvious. 
The reason is that a given formula Ei of S may contain several occurrences of 
p and of p; the c-extension of each occurrence of p and the d-extension of each 
occurrence of p are missing from the corresponding E'’s in S' . The effect of TZ 
on each of these structures must be considered when applying TZ to S. 

Consider first the c-extensions of p. The steps of TZ can change Ei outside 
CE{p) and can change CE{p) itself. Changes outside CE{p) either leave it un- 
changed or delete it in its entirety due to a simplification rule. Changes inside 
CE{p) can also delete it entirely. The other possibility is that what remains is a 
formula of the form pA'ip- The point is, if CE{p) is not completely deleted, then 
a formula of the form p A ip remains. 

The d-extensions of p are disjunctions. When p occurs in Ei^ DE{p) is either 
Ei itself or a proper subformula of Ei. In the former case, Ei would have been 
removed in forming S' and not have participated in TZ. Otherwise, DE(jj) is one 
conjunct in some conjunction of Ei. This conjunction is eliminated in TZ and will 
still be eliminated when TZ is applied to 5, unless it also contains p; in that case 
the conjunction is simply one of the c-extensions of p that remain as discussed 
above. 

In any case, the result of applying 7^ to 5 is either false, in which case we 
are done, or a formula set S" made up of formulas of the form p A ip. Observe 
that 5" [false/p] will reduce to false via the simplification rules since every pApj 
has this property. 

Thus, TZ applied to S produces either false or the unit {p}. This unit cannot 
be pure, and we may proceed as in the CNF case: Resolve this unit with E'’s 
that contain {p}. The resolvent will cg-subsume the other parent formula. Thus 
we can produce a formula set containing fewer occurrences of p. Repeating this 
process produces a formula set with one less atom, and the induction hypothesis 
gives us a refutation. □ 

We note that with augmented cg-c-subsumption, the above proof can be 
simplified in much the way that the proof for the CNF case was. It is worth 
mentioning that by using the distributive laws or d-path complement operators, 
a formula containing p both positively and negatively can be replaced by two, 
in each of which p occurs with only one polarity. In other words, we can force 
link deletion to be enabled, although it is not at all clear that doing so provides 
an advantage. 
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5.4 Strong vs. Weak Completeness 

We close with a brief discussion of strong completeness (any sequence of resolu- 
tion steps chosen according to some easily decidable condition and starting with 
an unsatisfiable formula does end with the empty formula) vs. weak completeness 
{there is a sequence of resolution steps ending with the empty formula). Strong 
completeness of clausal cg-resolution was recently proven [4] . Unfortunately, we 
cannot hope to obtain a proof of strong completeness easily from the method 
employed in the present paper. The reason is that it is inherently existential, as 
are many completeness arguments. The existence of a proof combined with some 
simple fairness criteria yields strong completeness trivially when link deletion is 
not present: The space of proofs that exist is invariant with respect to what step 
is chosen next. But with link deletion, some proofs that exist prior to a step no 
longer exist after that step. Others do, but we cannot be sure that they are not 
perpetually receeding over the horizon. 
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Abstract. This paper is concerned with various schemes for enhancing 
the performance of modal tableau procedures. It discusses techniques 
and strategies for dealing with the nondeterminism in tableau calculi, as 
well as simplification and backjumping. Benchmark results obtained with 
randomly generated modal formulae show the effect of combinations of 
different schemes. 



1 Introduction 

Usually the literature on theorem provers for modal logic confines itself to a 
description of the underlying calculus and methodology. Sometimes the descrip- 
tion is accompanied with a consideration of the worst-case complexity of an 
algorithm based on the presented calculus or a small collection of benchmark 
results. Problems arising when implementing modal theorem provers and also 
considerations concerning optimisations towards increased efficiency have recei- 
ved much less attention, which, of course, is typical in a field under development. 
Sometimes the description of the theorem prover mentions some simplification 
rules [2] or discusses the use of structure sharing and use-checking [9]. Less 
attention has been paid to an empirical evaluation of the influence of such op- 
timisations. But, recent work by Giunchiglia and Sebastiani [7], Horrocks [10], 
and Hustadt and Schmidt [11,12] has put increased emphasis on optimisation 
techniques for modal decision procedures. 

In this paper we discuss various known techniques and strategies [7,9,10] 
and study their usefulness by experiments. We focus on two techniques which 
we think are instrumental for increased efficiency, namely simplification and 
backjumping. These techniques are well-known from other areas of computer 
science, like automated theorem proving in propositional logic, constraint solving 
and search. Our exposition concentrates on a modal KE tableau [3,4], but applies 
equally to standard tableau [6,8]. 

The paper is organised as follows. Section 2 recalls some basic notions and 
describes a standard tableau calculus for the basic modal logic K. Section 3 
discusses the problems of dealing with the nondeterminism in tableau calculi. 
In Sections 4 and 5 we describe a simplification technique for modal tableau 
procedure and discuss the importance of backjumping and dependency-directed 
backtracking. Finally, Section 6 describes experiments which illustrate the effects 
in practice of the different optimisation techniques. 

H. de Swart (Ed.): TABLEAUX’98, LNAI 1397, pp. 187-201, 1998. 
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2 Basic Notions 

By definition, a formula of the basic modal logic K is a boolean combination 
of propositional and modal atoms. A modal atom is an expression of the form 
dip where ip is a, formula of K. A modal literal is either a modal atom or its 
negation. We assume that (pV ip is the abbreviation for -'ip) and Oip for 

-'O-iip. T denotes a constant true proposition and _L a constant false proposition. 
(p denotes the complementary formula of (p, for example ^ = p and dp = <>->p. 
The following notation will be used: (p and ip denote modal formulae, C and D 
denote multisets of modal formulae, C; D denotes the multiset-union CdD, C](p 
denotes C U {</>}, and dC denotes the multiset {dcp\(p ^ C}. 



C-,<PMP C;<pvip C-,^^<p 

c-AA ’c-,ip I C-,iP C-A 



(i) 



C-,^cp-,cp 



(e) 



C-,D 

C 



(K) 



□ C; 0<P 

c-,<p 



Fig. 1. Tableau rules for basic modal logic 



Figure 1 describes the rules of a standard tableau system for basic modal logic 
as given by Gore [8] with a slight modification of the (T) rule. The numerator of 
any rule is a set of formulae of which one or two are distinguished. For example, 
the distinguished formula of the numerator of the rule (A) is <pAip. Distinguished 
formulae are called principal formulae. The denominator of any rule is a list of 
sets of formulae. The rules (A), (V), (-i), and {K) are the elimination rules, (6) 
is the thinning rule, and (T) is the closure rule. A tableau for a set C of formulae 
is a finite tree labelled with finite sets of modal formulae whose root is labelled 
with C. A tableau rule with numerator C is applicable to a node labelled with 
C. The steps for extending a tableau are the following. 



1. Choose a leaf node N labelled with C, a rule R which is applicable to C, 
and a set of principal formulae D. 

2. li D are the principal formulae of R, having k denominators D\, . . . , Dk, 
then create k successor nodes for N labelled with Di, ... , respectively. 



A branch in a tableau is closed if its end node contains T, otherwise it is open. 
A tableau is closed if all its branches are closed. The tableau calculus for basic 
modal logic by Fitting [6] uses the following refinement of the thinning rule (9), 
called the branch modification rule: 



(BM) 



D; dC] 0(p 



□C; 0(p 



where D contains no D-formula. 
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3 Nondeterminism in Tableau Calculi 

As usual when implementing a set of proof rules in a deterministic algorithm 
an important issue is how to deal with the nondeterminism present in the cal- 
culus. Several choices need to be made in extending a tableau, namely, which 
leaf node to continue with, which rule to apply, and to which principal formulae. 
The choices are don’t care nondeterministic and don’t know nondeterministic. 
A don’t care nondeterministic choice is an arbitrary choice of one among multi- 
ple possible continuations for a computation which render the same result, for 
example, the nondeterminism of the (A) and (-■) rules, while a don’t know non- 
deterministic choice is a choice among multiple possible continuations which do 
not necessarily render the same result, for example, the nondeterminism of the 
(K) rule. Techniques and strategies are required for dealing with nondetermini- 
stic choices, in a way that ensures soundness and completeness while delivering 
good performance. 

For the completeness of the calculus it is sufficient to assume that all choices 
are don’t know nondeterministic. However, a deterministic algorithm based on 
the assumption that all choices are don’t know nondeterministic will be hopeles- 
sly inefficient, since it has to consider all possible continuations of all the don’t 
care nondeterministic choices where the consideration of only one would suffice. 
Therefore, a clear distinction between don’t care and don’t know nondetermini- 
stic choices is necessary. 

Even if we know which choices are don’t care and which are don’t know 
nondeterministic, the algorithm has to use a particular strategy to make these 
choices. It is well known for propositional decision procedures that different 
strategies lead to vastly different computational performance. For modal decision 
procedures such a body of knowledge does not seem to exist. 

One of the problems is that applications of the (BM) and (AT) rules have to 
be done don’t know nondeterministically. Consider the tableau Ti given by the 
single node {Dp, Op, O-ip}. If we apply (BM) and (AT) to the formula Op, we 
obtain T2 which cannot be closed. However, if we apply (BM) and (AT) to the 
formula O-ip we obtain T3 which can be closed by an application of the closure 
rule. Within the framework of Fitting’s tableau calculus it is impossible to avoid 
this don’t know nondeterminism. Whenever there is more than one O-formula 
on a branch we systematically have to consider the application of the (AT) rule 
to each of them (which can be done using backtracking). 

T 2 : {Dp, Op, O-ip} T 3 : {Dp, Op, O-ip} 

{P,P} {P,^P} 

It is not only relevant to which formula we apply the diamond elimination 
rule, but also at which state of our computation we do so, since the preceding 
application of the branch modification rule might delete information which is 
relevant for finding a closed tableau. Consider the tableau T4 given by the single 
node {□pVDq, 0 (-ipA-'(;)}. We can apply (BM) and (AT) to the second formula 
in the tableau and obtain tableau T5. 
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{□p V Dg, A “'( 7 )} 

{^pA^q} 

It is not possible to obtain a closed tableau from T5. However, if we start by 
applying (V) to the first formula in T 4 and then (BM) and {K) to the second 
formula, we obtain the closed tableau Tg. 



{Up V □(/, 0(-ip A -•q)} 



{□p, 0(-ip A 



(BM),(iC)| 

{p, -.p A - 19 } 

(A)j 

{p, -ip, -ig} 

(-L)j 

{^} 



{□g,0(-.pA -.g)} 

{g,-.pA -ig} 
(A){ 

{q,^p,^q} 

(-L)j 

U} 



There are several solutions how a deterministic algorithm can deal with this 
problem. The most obvious solution is to use backtracking. The states when 
branch modification is applicable are remembered, and we can apply the rule at 
the current state of our computation or we can delay the application. We explore 
one possibility and restore the current state of the computation unless a closed 
tableau was found. 

The nondeterminism of the branch modification rule can be avoided alto- 
gether. We can delay the application of the rule until we are sure that we can 
find a closed tableau whenever it exists for the formula under consideration. This 
is the case, for example, if we delay the application of the branch modification 
rule until no further elimination rules for the boolean connectives are applicable 
on the current branch. The knowledge representation system ICRXS uses this 
solution [ 1 ]. 

There is a trade-off between these two solutions, and we are not aware of any 
theoretical or empirical analysis of this trade-off. The performance of a tableau- 
based theorem prover depends on our ability to generate as few branches in a 
tableau as possible, and to close branches as soon as possible. So, it is desirable 
to apply the diamond elimination and branch modification rules as early as 
possible. However, if we fail to close the tableau and we have to go back to an 
earlier state of the computation, then a lot of computational effort has been 
wasted. 

There are also solutions between the two extremes. For example, the modal 
theorem prover Ksat [7] proceeds as follows. Instead of delaying the application 
of the diamond elimination rule until no further applications of the elimination 
rules for boolean connectives are possible, it systematically applies all possi- 
ble applications of the diamond elimination rule before a possible application 
of Davis-Putnam’s propositional split rule. If none of the applications of the 
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diamond elimination rule close the branch, it will continue with the intended 
application of the split rule. 

Unlike the diamond elimination rule and branch modification rule, the ap- 
plication of the elimination rules for the boolean connectives can be performed 
don’t care nondeterministically. However, this does not mean, as far as the ef- 
ficiency of a modal theorem prover is concerned, all possible continuations are 
equally preferable. Already Smullyan [16, p. 28] noted that it is more efficient to 
give priority to applications of the conjunction elimination rule, that is, disjun- 
ction elimination should be delayed until no further application of conjunction 
elimination is possible. Even if we follow Smullyan’s guideline it remains to de- 
cide in which order we apply the elimination rules to the formulae in a tableau. 
Three possible solutions can be found in existing systems: 

(1) Select the first formula. 

(2) Select the formula which contains the least number of occurrences of the 
disjunction operator (assuming all formulae are in negation normal form). 

(3) Select the formula which has the smallest symbol weight. 

For example, for {{p V r) V (g V r),0{p A r) V Oq,p\/ {q V r)} strategy (1) will 
select the first formula, strategy (2) will select the second formula, and strategy 
(3) will select the last formula. While the literature on heuristics for selecting 
split variables in Davis-Putnam algorithms is extensive, very little is known 
about appropriate strategies for selecting formulae in tableau algorithms. 



4 Simplification 



This section describes a known simplification technique which helps reducing 
both the lengths of branches and the number of nonredundant branches. 

D’Agostino [3] has shown that an algorithm for testing the satisfiability of 
propositional formulae based on the tableau rules of Figure 1 for the propositio- 
nal connectives is not able to simulate the truth table method for propositional 
logic in polynomial time. He proposes the replacement of the disjunction elimi- 
nation rule by the rules of Figure 2. The resulting calculus, restricted to the 
rules for propositional connectives, is called KE. The connectives A and V are 
assumed to be commutative. The rule (VS') is usually not explicit in presentati- 
ons of KE, but implicit in the definition of subsumed formulae on a branch [15]. 
The calculus obtained by adding (9) and (K) will be referred to as MKE. (Note 
that MKE is not related to the calculus DKE presented by Pitt and Cunning- 
ham [15] which is a free variable tableau method for modal logics.) 

The truth table method always succeeds to prove that </> is a tautology using 
0{n ■ 2^) computation steps, where n is the length of 4> and k is the number of 



(PB) 



c-,f I c-,4> 



(VE) 



c-,tA 



(VS) 



C-,4i\/ if; (j) 



Fig. 2. Rules for disjunction elimination in KE 
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distinct variables in <j). D’Agostino and Mondadori [4, p. 303] show that there 
is a KE-refutation T of 0 with T having 0{n ■ 2^) many nodes. However, their 
argument requires (i) applications of the {PB) rule which are not strongly ana- 
lytic, and requires that (ii) after an application of the (A) rule to a conjunction 
ip /\il) one oi ip ov ij) has to be chosen don’t know nondeterministically for furt- 
her analysis, while the other subformula is prohibited from further analysis. For 
systems which are based on the KE calculus but do not adhere to restriction 
(ii) there is no guarantee that we find a KE-refutation of </> using only 0{n ■ 2^) 
computation steps. Consider the formula 4>i 

(-.(/)] A -.0?) V ... V (-.</>)„ A V {{p V A (g V 

where the </>], 1 < t < 2, 1 < j < m-|-l, are pairwise distinct boolean com- 
binations of p and q, not identical to either p or q. A truth table method will 
consider the four possible truth assignments to p and q and will show that </>i 
is a tautology using 0(|^i|) computation steps. Note that the truth value of </>i 
under a truth assignment to p and q is actually independent of the truth value 
of the 

The tableau method based on KE will try to find a closed tableau for 0i, 
that is 

p A g A ((/)] V (()?) A . . . A ((/)]„ V </>^) A {{^p A V {^q A 

Following D’Agostino and Mondadori [4] we start by applying (PB) repeatedly 
with respect to the propositional variables p and q, to get the tableau of Figure 3. 
If we continue by applying conjunction elimination to (j>i we are able to close all 
branches but the leftmost branch. On the leftmost branch we can not apply the 
(_L) rule, but have to proceed by further applications of the (PB) rule. Figure 4 
shows that we can close the leftmost branch with only one application of the 
(PB) rule to the formula -•p A followed by applications of the (A), (VE) 
and (_L) rules. The size of the tableau is 0{m) which is within the upper bound 
given by D’Agostino and Mondadori. However, if we proceed by applications of 
the {PB) rule to the formulae (f)\, ... , </>)„, and finally to -•p A then we 

obtain a tableau of size 0{m ■ 2™) which exceeds the upper bound. Figure 5 
shows a part of the tableau we obtain in this case. 

The formula selection strategies of the previous section do not ensure the 
tableau of Figure 4 is constructed instead of the one of Figure 5. Our proposed 
solution to this problem is the introduction of simplification techniques into 
tableau calculi. 



{01, P} 






^ (PB) (P^ , 

{01, P, 9} {01,P,“'9} 




-■p, 



Fig. 3. First part of a tableau Tio for 
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{</'!, p, q} 




(A)* 

V 




{p, q, 01 V 01, • • • , V 0™, {-’P A 0^+i) V A 0^+i)} 


{P, 9, • • • , 


(p, g, • • • , 


{-^P A 0m+l) V (-1(J A 0m+l), 


{-'P A 0m+i) V (-ig A 0m+i), 


A 0m+l} 


P V -■0m+i} 




(VB) 

Y 


{P,9, • • • , 


(p,g, ••• , 


hP A 0m+i) V (-ig A 0™+i), 


p V -'0™+i, 


"■P, 0m + l} 


"■g A -'0^+1 } 


(-L) 


(A) 


Y 


(p, g, • • • , 


_L 


P V -'0j„+i, 
^g, 0m+l } 




(J-) 






Fig. 4. Application of (PB) with respect to p V 


“, 0^+1 in the leftmost branch of Tio 


{01, p, q} 




(A)* 

V 




c = {p, ?, 01 V 0?, . . . , 0j„ V 0^, (-ip A 0m+i) V (g A -■0^+i)} 






C;0{ 


C;^ 


/^PB) (PB)\s^ 




C';0};02 (7;0j;;02 




Fig. 5. Applications of {PB) with respect to 0i, 
of Tio 


. . . , p V-'0m+i in the leftmost branch 
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~'4> V 0 ^ T 
-!</) A _L 
□T ^ T 



<?iVT ^ T 
A T ^ 



4>\/ (j) 

1 . 

->T ^ ± 



Table 1. Rewrite rules for modal formulae 



<j)'^ 4> ^ fp 
<j) A 4> ^ 4> 
T 



Let (plip/uj] be the formula obtained from (p by replacing all occurrences of ^p 
which do not occur in the scope of a modality by the formula uj (either T or _L) . 
More precisely, (pltp/uj] is defined by 

if (j) =AC ^ 
if (j) =AC 
else ii (f) = -k/>i 
else ii (j) = (j)\ A 4>2 
else ii (f) = (piy 4>2 
else. 

Here =ac denotes equality modulo associativity and commutativity of the con- 
nectives A and V, while = denotes syntactic equality. Let </>4, be the normal form 
of the formula (p obtained with the rewrite rules of Table 1. By C[ip/uj] we denote 
the set {(p[ip/uj] \ cp £ C} and by C], we denote the set {(p\. \ (p G C}. 

The definition (p[ip/uj] differs from the one given by Massacci [14] in the 
use of equality modulo associativity and commutativity. Massacci achieves this 
by replacing the binary connectives A and V with set-oriented versions which 
are commutative, associative and idempotent. Furthermore, Massacci makes the 
implicit assumption that the replacement operation (p[ip/Lo] is followed by a form 
of elimination of the T and T symbols introduced, but does not specify how. 

Let SKE and MSKE be the calculi of KE and MKE endowed with the 
following rule. 

C-,(p 

(S) 

'C[<P/T]U<P 

The rule can be applied don’t care nondeterministically. One possible strategy 
is to apply (S') after an application of (PB) as follows. 

C 



j(S) |(S) 

CWT]i;cP CWT]U^ 

In this case, the (VE) and (VS) rules are obsolete. 

Figure 6 shows an SKE-tableau for the formula (pi. Since each of the final 
sets contains T, the tableau is closed. A procedure following the strategy exem- 
plified in Figure 6, and restricting (PB) to propositional variables, corresponds 





w, 



UJ 



(p[ip/uj] = 



-n(Pi[lp/uj], 

(pi[tp/uj] A (p 2 [tp/uj], 
(pl [tp/uj] V (p 2 ['fp/u)], 
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{01, P} (01, -'P} 



(S)| 



(S){ 



{0i[p/T]4,,p} 



_ ^(PS) 

{0i[p/T],p,(?} 

(s) j 

{0i[p/T][q/T]4,,p,(j} 



(Pg)^ 

{0i[p/T],p,-.(?} 

(S){ 

{0i[p/T] hg/T]4,,p,-.(j} 



{0i[-.p/T]4,,-ip} 



Fig. 6. A closed tableau for (j>i using SKE 

exactly to a Davis-Putnam procedure for formulae which are not in clausal form. 
If we delay the application of the rule {S) until we have applied {PB) to all pro- 
positional variables occurring in the formula 0 under consideration, we obtain a 
procedure which corresponds exactly to the truth table method. 

We do not claim that simplification is a solution to the problem of choosing 
the next formula to be expanded, but adopting the case distinction mechanism of 
the truth table method together with simplification, a procedure can be devised 
which is no worse than the truth table method. Note that the rule (S') can 
also be added to standard tableau calculi. Simplification by (S) is a means of 
closing a branch as soon as possible. As a side effect the number of branches is 
also reduced, since superfluous applications of the {PB) rule can be avoided. In 
addition, branches are shorter and the counterexample obtainable from an open 
branch is simpler. 



5 Backjumping 

This section addresses how a tableau procedure can deal with the don’t know 
nondeterminism inherent in the alternatives of the disjunction elimination rule 
by forms of backtracking. 

Many procedures utilize chronological backtracking, that is, they go back 
to the most recent state before an application of disjunction elimination. The 
next example illustrates the drawbacks of this form of backtracking. Let 02 be 
a modal formula of the form 

-,Ds A □(p V r) A (□-■r V Dg) A (“'□p V Dr) 

A (01 V 0? V 0?) 

A (0n V 02 V 03) 

where the 0*, with l<f<3, are modal literals different from the modal 

literals in the first four conjuncts of 02. Assume that 02 is satisfiable. Then: 
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1. D-ir is false in any model of 4>2, since n-r and -■□s A (-iDpV Dr) imply -iDp 
and n(p V r) A n-r A -■□p is not satisfiable. 

2. A simplification step replacing D-ir by T in (j )2 does not affect the literal Or. 

A procedure based on MSKE will start by applying conjunction elimination 
to 4>2- It is reasonable to continue with an application of the (S') rule to the 
units -'□s and n(p V r). This will not close the tableau. Suppose we proceed 
by a sequence of applications of {PB) and (S). Let us assume that one of the 
first formulae to which we apply (PB) is n-ir, followed by n modal formulae 
iIji, . . . , ipn chosen from (j)\, ... , (j>^, and finally -'Op. Let us further assume 
that we construct the tableau in a depth-first way, considering the branch where 
□-■r is true first. As n-T is false in any model, traversing the tree below this 
node, which has 2” branches, is wasted. After closing the first and second branch 
we know that whenever -iDs, n(p V r), and 0->r are true on a branch we will 
be able to close it. However, this insight is not used by the procedure in order 
to skip the consideration of the branches generated by the n applications of the 
rule {PB) to the formulae ^/>i, ... , f/'n- 

This phenomenon is called thrashing [13]. Thrashing is the exploration of 
subtrees of the search tree which differ only in inessential features. Due to the 
rather complex constraints imposed by the modal formulae on a branch and 
due to strategies which delay the evaluation of these constraints, modal theorem 
provers are extremely vulnerable to thrashing. 

Techniques that can be used to improve the backtracking behaviour of an 
algorithm are backjumping [5] and dependency- directed backtracking [17]. Back- 
jumping backtracks to the last branching point of the search tree which is relevant 
to the failure on the current branch. For example, in the tableau 



{□p V <7, O-ip V g, r V s} 



{□p, O-'p V g, r V s} 

1^'"’ (V) 

{□p, O-ip, r V s} 

(V)- 

{□p, O-ip, r} 

{p, -.p} 



Bs 

B2 

Bi 



after closing the left-most branch backjumping enables us to backtrack past the 
last branching point, thus skipping Bi, since the application of the (V) rule to 
r V s has not introduced a formula to the leftmost branch that has contributed 
to the derivation of p and -'p. 

Dependency-directed backtracking requires, in addition, the maintenance of 
assumption sets which contain all formulae which have contributed to the closure 
of a branch. Assumption sets are used to avoid the investigation of any branch 
which contains the formulae in one of the assumption sets. The assumption sets 
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need to be transfered from one branch of the tableau to another. Furthermore, 
their number can grow exponentially. For this reason, the additional benefit of 
using dependency-directed backtracking instead of backjumping is often out of 
relation to the additional overhead. 

Existing systems with backjumping are FaCT [10] and the Logics Work- 
bench [9]. 

6 Empirical Evaluation 

This section describes an empirical analysis of implementations of the calculus 
MKE, and its extension MSKE with simplification as well as MSKE with 
backjumping. The procedures were implemented using SICStus Prolog Version 
3.5. Common features of the procedures are: 

1. Input formulae are transformed into negation normal form, and then into a 
normal form with respect to the rewrite rules of Table 1. 

2. The connectives A and V are considered to be n-ary operators. 

3. The rules (A), (-i), and (T) are preferred over {PB) and (VE). These in turn 
are preferred over {9) and {K). 

4. Our realisation of the {PB) rule is strongly analytic. It is applied only to 
the smallest disjunct of the selected formula, where the ordering on formulae 
is defined by a weighted symbol count with □ and O assigned 7, A and V 
assigned 0, and -■ and every propositional variable assigned 1. The intention 
is that propositional literal have smaller weight than modal literals of depth 
one which in turn have smaller weight than modal literals of depth two (on 
the assumption that clauses have maximal length 3). 

5. The elimination rules are applied to formulae with smallest weight (the 
weights are those as specified in 4), that is, selection strategy (3) is used. 

The procedure MSKE applies the (S') rule to any formula introduced by the 
{PB) rule. 

The evaluation was done on a large set of formulae randomly generated 
as proposed by Giunchiglia and Sebastian! [7] and adopted by Hustadt and 
Schmidt [11]. The generated formulae are determined by five parameters: the 
number of propositional variables E, the number of modalities M, the number 
of modal subformulae per disjunction K, the number of modal subformulae per 
conjunction L, the modal degree D, and the probability P. Based on a given 
choice of parameters random modal KCNF formulae are defined inductively 
according to: 

1. A random (modal) atom of degree 0 is a variable randomly chosen from the 
set of N propositional variables. A random modal atom of degree D, D>0, 
is with probability P a random modal atom of degree 0 or an expression of 
the form otherwise, where is a modality randomly chosen from the 
set of M modalities and ^ is a random modal ATCNF clause of modal degree 
D-1. 
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2. A random modal literal (of degree D) is with probability 0.5 a random modal 
atom (of degree D) or its negation, otherwise. 

3. A random modal KCNF clause (of degree D) is a disjunction of K random 
modal literals (of degree D). 

4. Now, a random modal K CNF formula (of degree D) is a conjunction of L 
random modal ATCNF clauses (of degree D). 

It is important to note that in contrast to generating random 3SAT formulae, 
typically used for the evaluation of propositional decision procedures, generating 
a random modal 3CNF clause of degree 0 means randomly generating a multi- 
set of three propositional variables and negating each member of the multiset 
with probability 0.5. This means the scheme we have just described allows for 
tautologous subformulae, like p V ~<p V q, and contradictory subformulae, like 
-iD(pV -ipVp). Furthermore, most of the unsatisfiable random modal 3CNF for- 
mulae are trivially unsatisfiable. By definition, a random modal 3CNF formula 
(p is trivially unsatisfiable if the conjunction of the purely propositional clauses 
of 4> is unsatisfiable. It turns out, these formulae are well suited to show the 
advantages and disadvantages of backjumping. 

We use the parameter settings PSO (fV=5, M=l, K=5, D=2, P=0.5), PSl 
(A^=10, M=l, K=3, D=2, P=0.5), and PS2 (A^=4, M=l, AT=3, £>=1, P=0.0). 
PS2 was generated in accordance with the guidelines of [11], which means, for 
all occurrences of Op in a random modal 3CNF formula of degree 1, p has to be 
a nontautologous clause containing exactly three differing literals. 

The tests were conducted by proceeding as follows. We take one of the para- 
meter settings which fixes all parameters except L, the number of clauses. The 
parameter L ranges from N to 40A^ for PSO and PSl and from N to 30A^ for 
PS2. For each value of the ratio L/N a set of 100 random modal ATCNF for- 
mulae of degree D is generated. For small L the generated formulae are more 
likely to be satisfiable and for larger L the generated formulae are more likely to 
be unsatisfiable. For PS2, already for L/N=30 all formulae are unsatisfiable, so 
there is no need to increase the ratio beyond 30. For each generated formula p 
we measure the time needed by one of the tableau procedures to determine the 
satisfiability of p. There is a upper limit for the CPU time consumed. As soon 
as this limit is reached, the computation for p is stopped. Our tests were run on 
a Sun Ultra 1/170E with 196MB main memory using a time-limit of 1000 CPU 
seconds. 

Figures 7-10 depict the outcome of our experiments in the form of percentile 
graphs. Formally, the Q%-percentile of a set of values is the value V such that 
Q% of the values is smaller or equal to V and (100 — Q)% of the values is greater 
than V. The median of a set coincides with its 50%-percentile. 

Figure 7 illustrates the importance of design decision 2. Without accounting 
for associativity of V and A, the computational behaviour of MKE is drastically 
worse. This can be attributed to the phenomenon that, whenever the (PB) rule 
introduces a formula ^ on a branch, modal clauses like ■0i V (^ V P 2 ) on the 
branch become true and need not be considered. However, (yS) is not applicable 
when not regarding V as being associative. Instead, MKE will apply the (PB) 
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rule to 'i/'i- This leads to increased thrashing. Interestingly, the associativity 
assumption is not important for MSKE. 

When assuming V is an n-ary operator inside MKE, then the rules (VE) 
and (V5) have essentially the same effect as simplification in MSKE on ETCNF 
formulae. This is illustrated by the graphs of Figures 8 and 9, for MKE and 
MSKE on PSl. Only for the parameter setting PS2 we see the advantage of 
using simplification. 

The effect of enhancing MSKE with backjumping is apparent in Figure 10. 
Even though a slow down is evident for the 50%-70%-percentiles on PSl, the 
80%-90%-percentiles show a significant improvement. The slow down is due to 
the additional computational overhead of managing the information required 
for performing backjumping. Nevertheless, there are almost no samples in our 
benchmark suite, for which MSKE with backjumping fails to terminate within 
the given time limit. 

It should be stressed that the advantages of the optimisation techniques 
become most apparent on hard test formulae which are difficult to come by. 
The usefulness of the optimisation techniques discussed in this paper on other 
problem sets, like the benchmark collection of the Logics Workbench, requires 
further investigation. 

Our discussion was limited to optimisations of modal KE procedures. Simi- 
lar results can obtained for standard tableau-based procedures with the same 
enhancements. It is open, however, how enhanced KE and standard tableau 
procedures compare. 





(a) Without associativity (b) With associativity 



Fig. 7. Graphs for MKE on PSO 
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Abstract. We study free variable tableau methods for logics with term declarations. 
We show how to define a substitntivity rnle preserving the soundness of the tableaux and 
we prove that some other attempts lead to unsonnd systems. Based on this rule, we define a 
sound and complete free variable tableau system and we show how to restrict its application 
to close branches by defining a sorted nnification calcnlus. 



1 Introduction 

Recently in various areas of artificial intelligence, the importance of hybrid systems 
of representation, in which sub-systems that employ different languages and inference 
mechanisms co-exist, has been manifested. Amongst them, the logics that integrate 
sort information in their specific structure have a special relevance in the field of 
automatic deduction. Furthermore, it is well known that the use of sorts in the 
universe of discourse can produce a drastic reduction in the search space, which would 
involve in itself more efficient deductions. 

In some cases, besides the improvement of efficiency, the necessity of the use of 
sorts in the explicit reasoning has been manifested when dealing with taxonomic in- 
formation. In this way the order sorted logics arise [Coh 87] [Wal 87] JSch 89] [Fri 91], 
in which deductions take note of the sort hierarchy. In a lot of them, the framework 
of the deduction systems is substitutional, which means that the information about 
sorts is only used when the process of unification obtains substitutions. 

However, the use of order sorted logics, where the information about sorts co-exists 
with the information about individuals within the same formal framework jWei 91] 
[GLMN 96] turns out to be also interesting. One can say therefore that sorts are 
dynamic in opposition to the static behaviour that they maintain in the previous 
logics. Following this line, it is possible to generalize the dynamism by declaring 
the function and predicate symbols on the same level as the sort hierarchy and the 
information about individuals. In this way the so called logics with term declarations 
arise as hybrid systems of representation that include, in a unique formalism, a classic 
many sorted logic together with all the information that it entails (relations between 
sorts, and sort declarations for function and predicate symbols). 

In this paper we study free variable tableau methods for logics with term declara- 
tions. A critical point of this work is determining which substitutions are well-sorted, 
in the sense that the (static) sort of a variable and the (dynamic) sort of the substi- 
tuting term are the same. A right concept of well-sortedness preserves the soundness 
of substitutivity in tableaux while a wrong one produces unsound tableau systems. 
We prove the latter occurs in the only paper we know about a similar dynamic logic 
[Wei 95]. 

‘Research partially supported by the ESPRIT BR Working Group 6028 CCLII. 
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We present a first tableau method and prove its soundness with respect to our 
notion of well-sorted substitutivity, and we show how to improve the method by 
restricting the substitutivity rule to close branches. It implies the definition of a 
calculus for solving unification problems, with respect to term declaration theories. 
We show this calculus is sound and complete, and we use it to prove the completeness 
of an improved free variable tableau method. 

This paper is organized as follows. Section 2 presents the Logic with Term Dec- 
larations, explaining its main syntactical and semantical features. Section 3 studies 
our well-sortedness concept. In Section 4, a ground tableau method is shown, and it 
is extended to a free variable version in Section 5. Finally, Section 6 presents a sorted 
unification calculus, which is used in Section 7 for defining a tableau system where 
the substitutivity rule is only applied to close branches. Due to lack of space, some 
proofs have been omitted. They can be found in [GLMN 97b]. 

2 The Logic with Term Declarations LTD 

The logic LTD uses sorts in a dynamic way, not having function and constant symbols 
static declarations in the signature. This means that we can not infer the sort of any 
term from its structure, neither syntactic, nor semantically. Instead of it, LTD takes 
advantage of sorts using a new formula constructor {t G s) to declare that the term t 
belongs to the sort s. 

For example if we have available the sorts nat and int, to respectively denote 
natural and integer numbers, the function -|-, that adds two integers, can be declared 
by the formula -|- y®"* G int). In fact, this declaration could be done 

in a logic with static sorts, putting down the function symbol -|- : int x int int 
in the signature, but then the behavior of -|- could not be specified anymore. In our 
approach, we are able to declare the function symbol -|- only when such information 
is required. Even more, we can refine the behavior of +; for example, we can overload 
the function -P, expressing that when applied to naturals it results to be another 
natural, with the formula -|- G nat). 

Another advantage of using term declarations, comes from its combination with 
sorted variables for expressing relations between sorts. For example we can express 
that natural are integer numbers by G int), or that the intersection of 

natural and integer numbers is not empty by G int). 

On the other hand, since predicate symbols denote boolean functions, dynamic 
declarations make no sense for them. However, as we do not know anything about 
the sort of a term, we can apply predicates to every term. 

A signature E for LTD consists of a finite set S of sorts s, together with sets 
of constants C, function symbols T and symbols of predicate V , the last ones with 
associated arity for each of its elements. Next, we define terms and formulas for a 
signature E and a sorted family of countable sets of variables X = (X®)sg 5 . 

Definition 1 The sets ofYi-terms T{T,) and Yi-formulas F'(E) are defined by: 
t ::= a;*(G | c (g C) | f{h , . . . , (/" G X; H, . . . , G T(E)) 

tp::=t e s I P{ti, ...,tn) (P" G P; H, . . . , G T(E)) \ \ ip L yj \ 3x^p. 

A ^-theory, or simply a theory, is a set of term declarations t £ s. Usual first-order 
formulas are defined by their classical abbreviations [W V). 
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Regarding semantics, we need domains to represent every sort appearing in the 
signature; so the structures are built by families of domains. Considering that we do 
not have static declarations, our domains can be empty. 

Definition 2 A Y, -structure V is a tuple eonsisting of: 

1. A total domain D containing a family of domains £ S}. 

2. Sets {c® e D\c e C},{/® : D" ^ D|/" e Jf} and {P® : D” ^ £ V} 

of interpretations of constants, function symbols and predicate symbols. 

A valuation for P is a sorted function p = {ff)seS such that p® is a hnite map 
from X® to P®, for every s e S. We will denote p® by [p''{xl)/xl, . . . , 
where dom{p“) = {a;®, . . . , a;® } is the domain of p“, and dom{p) = Uses dom{p“) is the 
domain of p. Note that a valuation for V verifies that pi* = [ ] for any s £ S such that 
D“ = 0. Finally we will denote by p[d/a;®] the valuation that coincides with p except 
for a;®, whose value is d. 

A E-interpretation is a pair {D, p) composed of a E-structure and a valuation for 
it. The semantic value of a term t in (P, p) is dehned if its variables appear in dom{p). 
In this case we denote it by |t]® which is an element of D dehned in the usual way. 
For example, if /" £ P then [/(p, . . . , t„)]® = /®([G]®, • • • , ®) whenever the 

variables of ti, . . . , are in dom{p). 

Formulas in LTD are interpreted in a bivalued way when its free variables belong 
to the domain of the valuation. 



Definition 3 The boolean value of a Y-formula tp in a Y-interpretation (P,p), 
that the free variables of ip belong to dom{p), is an element of{t,f}, denoted by 
and defined by: 



• e ^1? = 



t if e D- 
f otherwise. 



sueh 




. [p(G,...,f„)i® = p®(iGi®, ...,iy®). 

• The semantics of and A is the usual. 

. -j i */ isdeD‘ such that = t 

- I j otherwise. 

In the sequel, when we write |t]® (resp. |[<p]®), we assume that the free variables 
of t (resp. p) are in dom{p). Note that this assumption trivially holds when dealing 
with ground terms (resp. sentences). Actually in this case, no valuation is needed, 
so structures are enough to interpret these terms (resp. formulas) and then we sim- 
plify the notation by writing |t]® (resp. |<p]®). The concepts of model and logical 
consequence are dehned as usual and represented by using the symbol |=. 

In order to show the expressive power of LTD we present two examples. 

Example 4 We can prove the formula 3x‘" {x‘" £ s'), expressing that the interseetion 
of the sorts .s' and s" is not empty, as a logical consequence of the set of formulas {a £ 
s, f{a) £ s" ,\/x‘ {fix'') £ s')}. Note that in a static many-sorted logic without equality 
this formula could not be expressed because we can not represent the identification of 
an element of two different sorts. 



Example 5 Structures with the s-domain empty are syntactically characterized with 
the formula Wx" {x" ^ s) . 
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3 Well-Sorted Substitutions 



First-order logic satisfies Substitution Lemma. This lemma states that the interpreta- 
tion of a substituted formula ip[ti/xi, . . . ,tn/x„] is equal to the interpretation of the 
formula (p, but properly changing the valuation of the variables Xi, . . . ,Xn by the in- 
terpretation of the terms ti, . . . , In tableau methods, this result is needed to assure 
soundness of the 7 -rule, and also when dealing with free variable tableau versions. 

Since we expect this kind of result in our logic, we have to find out which substi- 
tutions satisfy it. The difficult point in LTD is that variables are sorted and when a 
substitution [ti/x^i , . . . is applied, the interpretation of some introduced term 

ti may not belong to the sort Si of the replaced variable. So we must use substitutions 
only in contexts guaranteeing G for every 1 < i < n. A theory will be the 
syntactic context that provides enough sort information about the terms to assure the 
previous property. 



Definition 6 (Well-Sorted Substitution) A substitution [L/xl^ , . . . ,tn/x'^] is 
well-sorted w.r.t. the theory C ifU^ => [U G Sj) G C, for every I < i <n. 



Lemma 7 Let C he a theory, {V, p) a '^-interpretation satisfying C and t = 

. . . , tnjxfp\ a well-sorted substitution w.r.t. L such that {L £ Si) ^ C U G dom{p), 
for every I < i <n. Then [tj]® G D“', for every I < i < n. 



Lemma 8 (Substitution for terms and formulas) Let C be a theory, (V, p) a 
^-interpretation satisfying C and t = [tif xf^ , . . . ,tn/ xfp\ a well-sorted substitution 
w.r.t. C such that {L £ Si) ^ C => L G dom(p), for every I < i < n. For any term 
t (resp. formula p>) such that free (t) — (resp. free((p) — 

is included in dom(p), it holds: 

1. ItrVf = 2. 



4 The Ground Tableau Method 

In this section we outline a ground tableau method for LTD as a basis for the free 
variable tableau version. We will suppose that E has been extended to a signature E, 
with a countable set of constants. A tableau for a set of sentences is a tree growing and 
branching by the application of expansion tableau rules, according to the patterns of 
the formulas labelling its nodes. For conjunction and disjunction formulas, branches 
are enlarged or split, respectively, as in classical first-order tableaux, using the rules 
a and [3 [Fit 96]. For quantified formulas we have the following expansion rules: 

7 ) t £ s 6) ip[c/x^] 

^<p\t/x‘'\ c£ s 

In 7 , t is a ground term. In 5, c is a new constant not occurring in the branch. 

Note that these two new rules are similar to the classical first-order ones, but here 
the (dynamic) sort information is managed, using (t £ s) in the case of 7 or introducing 
(c G s) in the case of S, while in classical tableaux the (static) sort information is given 
by the signature and no explicit reference is required by the corresponding rules. 



^free supplies the set of free variables of a term, a formula or a set of formulas. 
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Definition 9 A branch B of a tableau is closed if it contains an atomic contradiction, 
that is ip and -ip (p atomic) appear in B. A tableau is closed if all its branches are 
closed. 

Theorem 10 (Soundness and Completeness) [GLMN 97a] For every set of E- 
sentences $, <f> has a closed tableau if and only i/<f> is not satisfiable. 



5 Free Variable Tableaux 

Now we will assume that the extended signature E also contains a countable set of 
function symbols. When dealing with free variables, the sorted variable occurring in 
a 7 -rule is not replaced by a ground term, but by a new free variable of the same sort. 
So, in LTD we get the following two rules: 



^p[y“/x^] 



S') 



3x‘‘p> 

ip[f{xl\...,x]p 

f{xl\...,x]p) 



)!A 

e s 



In 7 ', y“ is a (new) free variable. In 5', / is a new function symbol applied to the free 
variables (a;®^ . . . , x]p) occurring in the branch. 

The free variables of a tableau may be substituted, but as argued in Section 3, 
they can be replaced only by terms interpreted in the corresponding domain. This 
condition is assured for a branch when the substitution is well-sorted w.r.t. the theory 
included in this branch. However substitutions are applied to the whole tableau. 
Requiring well-sortedness w.r.t. the theory of every tableau branch leads us to a too 
strong condition, since a variable in the domain of a substitution may not occur free 
in every branch. It will be enough to consider well-sortedness of substitutions w.r.t. 
a branch, when they are restricted to the free variables of the branch. This property 
is formalized in the following definition. 

Definition 11 The substitution t is well-sorted w.r.t. a tableau T with branches 
Bi,...,B„, if T\free(Bi)^ is wcll-sorted w.r.t. the theory included in Bi, for every 
I < i < n. 

Definition 12 (Snbstitntivity Rnle) If T is a free variable tableau and t is an 
idempotent substitution well-sorted w.r.t. T then Tt is a free variable tableau. 

This rule will be called sub and we denote by iSl the tableau system composed of 
a, P, and sub together with a closure definition, where the concepts of closed 
tableau branch and closed tableau are dehned as for ground tableaux. 

The sense in which iSl preserves soundness has to be made more precise because 
of the existence of empty domains. For example, the formula Va;^(-iP(a) A P{a)) is 
satisfiable in structures with empty s-domain, nevertheless the method iSl is able to 
build a closed tableau for it. In order to prevent these cases, we prove soundness as 
follows. 



^This is the restriction of r to the free variables of B,. 
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Definition 13 A free variable tableau T is satisfiable if there exists a structure V such 
that for every valuation p for V, verifying free(T)Cdom(p), there exists a branch B 
with {V, p) \= B. 

Lemma 14 Let T be a free variable tableau satisfiable in a structure that for every 
sort s has a non-empty s-domain. If the tableau T' is built by applying one of the 
S 1 -rules to T , then T' is satisfiable in a structure with non-empty s-domain for every 
sort s. 

Proof. We only prove the case sub. Let r be an idempotent substitution well-sorted 
w.r.t. T. If V is the structure that models T, we prove that it also makes B = Tt 
satishable. Let p be a valuation such that free{TT) C dom{p); we extend p in order 
to make it dehned in T, which is possible because V has non-empty domains. This 
new valuation p' operates as p in T'. 

By hypothesis, there exists a branch B\ in T such that (P, p!) \= B^. If we define 
Ti = T\free(Bi), then from the well-sortedness of t\ w.r.t. Bi and Lemma 8 we can 
deduce that, for all ip such that free{p) C dom{fl), 

By hypothesis again, there exists B2 in T such that (P, p'ri) \= B2- If Pi = B2 
then we have hnished because |P2T]y = I-B2'Tilp = \B 2 \'pti ~ Otherwise if 
T2 = T\free(B2)-free(Bi), from the wcll-sortedness of T2 w.r.t. B2 and Lemma 8 we can 
deduce that for all p such that free{p) C dom{flTi), |(pT2]pri “ I‘^lpTir2- Note that 
B2T = B2T1T2, because r is idempotent; so the process can be continued. 

We prove that Tr is satishable by repeating this procedure until we reach a branch 
already used. This will be the case because T has a hnite number of branches. ■ 



Theorem 15 (Soundness of PI) For every set of T,- sentences if ^ has a closed 
tableau then is not satisfiable in structures where every sort s has a non-empty 
domain. 

Proof. Suppose that <1> is satishable in a structure P with non-empty domains and 
that <f> has a closed tableau T. Then by Lemma 14, T is satishable in a certain 
structure P' with non-empty domains. So, we can build a valuation p dehned for 
every free variable of T such that there exists a branch B with (P,p) 1= B. By 
semantics, we get contradiction because B is closed. ■ 

Observe that our claim for idempotence in the rule sub is critical for assuring 
soundness, as we notice from the proof of Lemma 14. If sub rule only demands well- 
sortedness the system turns to be unsound, as the following example shows. 

Example 16 Let Y. be a signature with sorts s and .s' , constant symbols a and b, 
and predicate symbols Q and P . Let V be a Y-structure such that oP G D“ O , 
ip (z D“ — D“ , P® is true in D‘ but false in D“ — , Q® is false in D‘ but true in 

D“ — D^'. Then the set {a £ s,be s, -iQ(a), -iP(6), VP(Q(P)V(P G s'AVy®'P(y®')))} 
can be checked to be satisfiable in P, in spite of having a closed tableau. In effect, 
applying a, ft and 7' properly, the following sketch T of tableau can be built: 



^pT stands for the valuation p but interpreting every replaced variable 2: of r as |T(a:)]^. 
^The interpretation of a branch is the conjunction of the interpretations of its formulas. 
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a e s 
he s 




Note that [a/x“ /y‘'] is well-sorted w.r.t. T, and if we apply it to T we getT' : 



a e s 
b e s 




Q{a) P{x“) 

a e s' 

T' ean be closed if we apply the substitution [b/x“] which is well-sorted w.r.t. T'. 

Let us now make some reflections about some other possible presentations of a well- 
sorted substitution. In the table below, we present four different forms for defining a 
well-sorted (WS) substitution r = [ti/xf , • . • ,t„/x‘^] w.r.t. a theory C. 



Name 


Definition 


RWS 


Vt(fi ^ — > {ti e Si) e Ct) 


UWS 


\/i(ti e Tc(si)) 


WeiWS 


T is UWS w.r.t. C 

3t'(t' <®t a dom{T') C free{C) U dom{T) A / is RWS w.r.t. C) 


RUWS 


T is RWS and UWS w.r.t. C 



Tc{s) stands for the set of terms of sort s occurring in the theory C, when C 
is closed under sorted substitution, that is, using the formulas of C as universally 
(U) quantified. The names of the previous well-sortedness concepts derive from their 
definition, so RWS stands for rigid^, UWS stands for universal, WeiWS stands for 
the definition used in [Wei 95], and RUWS stands for both universal and rigid. 

The important fact about these definitions is that none of them satisfies Lemma 7 
and so they lead to unsound tableau systems. Before proving it, let us remark that, 
according to our previous analysis, each of these four definitions can adopt two forms. 
We can either require the substitution to be well-sorted w.r.t. every branch (total 
substitutivity rules), or demand the well-sortedness of the replaced term only w.r.t. 
the branch where the variable occurs free (loose substitutivity rules). In all cases, we 
obtain unsound substitutivity rules that make them not applicable to tableaux. We 
only prove the two cases of WeiWS. The other ones can be found in [GLMN 97b]. 

Example 17 Let Y. be a signature with sorts s and s', eonstant symbol a, and func- 
tion symbol f. Let V be the Y-structure presented in the figure below, where arrows 
represent the definition of . 



®This means that r' is a particular case of r. 

®Note that our well-sorted substitutions can also be seen as rigid. 
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Then the set {a G s,-i/(/(a)) G s, Va;®(/(/(a;^)) G sV {f{x“) G s G s)))} 

can be checked to be satisfiable in V, but it has a closed tableau. Applying a, j3 and 7 ' 
properly, the following sketeh T of tableau can be built: 

a £ s 

fifiaf)) G s f{x^) G s 
G s 

Then the substitution t = [a/x^, f{f{a))/'if] is total WeiWS w.r.t. T , and so loose 
IVeilVS, and it can be used to close the tableau. 

Theorem 18 (Completeness of iSl) For every set of T-sentences if <3? is not 
satisfiable then < 1 > has a closed free variable tableau. 

Proof. As $ is not satisfiable, then it has a closed ground tableau T. Now we show 
how we can systematically build in iSl a free variable tableau T' from the rules used 
in T, such that T = T'. 

• Every time we apply q or in T we apply them in T'. 

• Every time we apply 7 in T we apply 7 ' and sub in T', building T' like T, as 

follows. If we use {t G s) and in T, then we introduce / x“] in T' 

and apply the substitution [t/]/]. This is possible because T' is built like T, 
and then [t G s) occurs in the branch and t is ground (so the substitution is 
trivially idempotent and obviously well-sorted). 

• Every time we apply 5 in T we apply 6' in T', using the same constant symbol. 
Note that this is possible because after each of these steps T' remains ground, 
so the function symbol introduced by 6' is a constant. ■ 

6 Sorted Unification 

As in classical first-order tableaux [Eit 96], it is not convenient to apply the rule 
sub in an unrestricted way, because in that case we would not improve the ground 
version. Therefore, we study its application only for closing branches. In this setting 
we need an unification calculus in order to find well-sorted unifiers for potentially 
complementary literals occurring in a branch. 

Our calculus has to be strong enough to find well-sorted unifiers in a free variable 
tableau whenever its related ground version is closed. This idea is outlined in the 
following example. 
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Example 19 Let T be the elosed ground sketch of tableau presented on the left below. 
On the right, let T' he the free variable tableau built as T. 



c S s" 
a G s 

Vrc® G s' 

P{a) 

-Q(c) 

Vz"'((a g s' A ^P(z‘')) V (P(z"’) A Vi/*" Ql!/*"))) 



a G s' 




a G s' -P(ti) 

--PW Vi/*" QG*") 

I 

Q(c) 



c G s" 
a G s 
01'® G s' 

P(a) 

-Q(c) 

Vz*'((a 6 s' A ^P(z*')) V {P{z‘ ) Q(i/*"))) 



01'® G s' 




a G s' ) 

^P(z*') Vi/*" Q(i/*") 

I 

Qls/"") 



The sequence of unitary substitutions a = [c/t/®”] [a/a;*] relates both tableaux. 

We have used it instead of t = [c/y^ ,a/z^ to express more elearly the order in 

the 'y-rule applications to T . 



Sequences remark the idea of an existing order in the free variables substitutions 
of T', which in its turn corresponds to the order used in the 7-applications to T. We 
introduce the concept of well-sorted sequence because the replacement of a certain 
variable can affect to the well-sortedness of another one. 



Definition 20 Let a = ai ... C and T he a sequence of unitary substitutions, a 
theory and a tableau, respectively. We say that a is well-sorted w.r.t. C (resp. T) if 
(Ji is well-sorted w.r.t. La\ . . . (7i_i (resp. . . . crj_i/, for every 1 <i <n. 

Note that in the example cr is a sequence of unitary substitutions well-sorted w.r.t. 
T' and then is applicable, by Theorem 15. However, we would not be allowed to apply 
directly r above to T', because this substitution is not well-sorted w.r.t. T', since 
a £ s' does not belong to the second branch. 

Using the same formulas that close T, for closing T', our sorted unification calculus 
should be able to find out a unifier of the following two unification problems, one for 
each branch: 

1. z" cs a (branch Bi). 2. ?/* ~ c (branch B 2 ). 

A unifier must be found because a is a well-sorted sequence of unitary substitutions 
and so both problems have solution. 

In the next subsection the sorted calculus C is presented. It tries to solve each 
problem separately using the theory presented in the respective branch. However the 
unifiers it obtains could not be well-sorted w.r.t. the whole tableau, so we have to 
check well-sortedness before applying the unifier. Such a test does not belong to the 
calculus itself but to the closure rule of the tableau method (cfr. unif rule in Definition 
29). In the example, although the calculus C can solve the first problem (branch I3i) 
through [a/ z‘], this substitution can not be applied to T' because it is not well-sorted 
w.r.t. the branch B 2 . 
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6.1 The Sorted Calculus C 

The sorted calculus C begins with a set of equations T to be unihed and a theory 
C, that has to be observed. It works by building a well-sorted sequence of unitary 
substitutions w.r.t. C, by non-deterministic application of its rules. Every time a 
new element of the sequence is obtained, we record it immediately, but it is never 
applied directly to build a unique substitution because we need to keep the order in 
the applications. The unihcation problem is solved when the set of equations is empty. 

There are twelve rules in C, the six standard rules for syntactic unihcation (tautol- 
ogy, decomposition, orientation, application, decomposition failure and cycle failure, 
cfr. [Wei 95]) and the following new six sorted rules: 

The Sorted Rules of C 



1. Extraction 



~ t/", r 



0\ . . . 



(Ti . 



X — f 5 • • • , tn) 5 r ^1 ■ • ■ 

y“' - f {ti, r CTi . . .a„[y“' /x^] 



2. Functional Weakening 

In T(7i...cr„ there are elements of the form: y“ G s, £ s', f{ui, £ s'^ 



3. Functional Failure 



x" cs /(fi, ...,f„), r 



Gl . . . Gyi 



FAIL 



x" cs r CTi . . . cr„ 

t ~ T (Ti . ..an[t/x“] 



/ ' 

In La\...On there are not elements y“ £ s, y'^ G s', ..., f{u\, ..., w„) G s' 

4. Variable Weakening 

s ^ s', {t e s) e t ^ X®, x‘ ^ free{t) 

5. Variable Orientation 

s ^ s', {t G s') G Tcri...cr„, t ^ X“' , y^' ^ free{t) 

6. Variable Weakening Failure 



x“ c^y“ , T (Ti . . . (7„ 
y“' ~ x\ r cTi . . . cr„ 

x^ cs y“' , T cTi . . . cr„ 

FAIL 



s ^ s' and in Cai...an there are not elements neither of the form: 



M ''i G s, u e Sxi, ■ ■ ■ ,u e Sj;^ 

V^vi £ s', £ s . . ^ ys" ^ 



nor 

f G s, G s^,! ,...,/(...) G s„,^ 

\ U"*-! G S',V‘y2 G Syi,..., /(...) G Sy, 

Now let us make some comments about the calculus C. Firstly we suppose that 
the application of the standard rules has always preference w.r.t. the sorted rules. 
In particular, this means that if functional weakening is applied to the equation x ~ 
f{t\, . . . ,tn) then X does not occur in any other equation. 
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Concerning the sorted rules we comment the following. Only three rules in C 
(extraction, and functional and variable weakening) extract unitary substitutions and 
build sequences. 

The functional weakening rule is used when we try to unify a variable af and a 
functional term t. If there exists a chain of declarations in the current theory £oi...cr„ 
expressing that another term with the same root symbol as t belongs to the sort s, 
then we append the hrst link of the chain to the sequence of unitary substitutions. 
If the chain has a single element (/(mi, ..., m„) G s) £ £cri...cr„ then, we apply the 
rule directly, without introducing extra variables. In both cases, af must not occur 
in any term of the chain. Furthermore if the chain is not unitary, we suppose s ^ d , 
excluding not intelligent applications of the rule. 

The variable weakening rule is required to unify two variables af and y“ of different 
sorts. The rule binds to a term, not containing a;®, having a term declaration of 
sort s in the current theory. 

The variable weakening failure rule is used when we try to unify two variables of 
different sorts and the current theory does not contain chains of term declarations 
neither expressing there is a common subsort of s and s' nor finishing in terms of 
subsorts of s and s', with the same functional root symbol. 

Definition 21 Let F, F', aia 2 ■ ■ ■o'n, cricr 2 . . . Cn' md C be two sets of equations, 
two sequences of unitary substitutions with n' G {n,n + 1} and a theory, respec- 
tively. We say that the pair (F', ai . . . a„') is C-accessible from (F, cri . . . a„), writ- 
ten (F, (Ti . . . cr„) he (F', (Ti . . . an'), if we can obtain the pair (F', cti . . . cr„') from 
(F, (Ti . . . (7„) using a C-rule. We say that C unifies F w.r.t. C by the sequence of 
unitary substitutions <ti<t 2 • • • if there exists a chain of the form (F, 0) he ... he 
(0,CTl ...an). 

The calculus C is sound in the sense that, given a solvable set of equations F and a 
theory C, it only builds sequences well-sorted w.r.t. C unifying F. Furthermore, every 
sequence dehnes an idempotent substitution so, by the soundness of the .sub rule, we 
can apply it safely. The idempotence derives from the fact that the sequences that 
the C-calculus obtains are triangular. 

Definition 22 [Kog 95] A sequence of unitary substitutions is 

triangular if 

1. freefti) n {a;i*h . . . ,xf'} = 0, for every I < i < n 

2. Xi ^ Xj, 1 < i < j < n. 

Theorem 23 (Soundness) Let F, C and a = a\ .. .an be a set of equations, a theory 
and a sequence of unitary substitutions, respectively. IfC unifies F w.r.t. C by ai .. . a„ 
then: 

(i) a is a well-sorted sequence w.r.t. L, 

(a) a is triangular, 

(in) a unifies F. 

Note that in the previous theorem there is no mention of failure. In the calculus C 
failure does not mean total failure but a partial one, in the sense that when we apply 
a rule and the produced set of equations is not unihable, we must do backtracking. 
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6.2 Completeness 

Completeness means that if there exists a well-sorted uniher as a sequence of unitary 
substitutions, then C hnds a most general well-sorted unifier. Considering that we are 
interested in a tableau system, we can restrict ourselves to a particular set of unifiers; 
we only need to subsume the well-sorted sequences of unitary substitutions that could 
be inferred from a closed ground tableau. These sequences are ground^ and they can 
be characterized by the concept of hyperwell- sortedness. 

Definition 24 A sequenee of unitary substitutions . . . \t„/xrfi"-\ is hyperwell- 

sorted w.r.t. L if {ti G Si) G C, for every I < i <n. 

In a hyperwell-sorted sequence, the order of the substitutions is not relevant in 
the sense that the declaration of the replaced term explicitly appears in the theory. 
In fact, it can be easily proved that if a triangular sequence is hyperwell-sorted w.r.t. 
a theory C then it is also well-sorted w.r.t. C. 

We prove the completeness of C in two steps, first with respect to theories and 
then, with respect to tableaux. In both cases, in the completeness theorem, we only 
consider liyperwell-sorted sequences and we implicitly introduce in the theorem the 
concept of most general unifier. 

Theorem 25 (Completeness for a theory) Let cti . . . cr„ be a ground triangular 
hyperwell-sorted sequence w.r.t. a theory C. Let V he a set of equations that is unified 
by ai . . . ffn- Then the calculus C unifies T w.r.t. C hy t\. . . Tp and there exists another 
sequence 9i . . .6k such that: 

1. 9\ .. .6k is triangular, 

2. 9\ . . .6k is hyperwell-sorted w.r.t. Cti . . .Tp, 

3. T\ . . . Tp6\ . . . 6k — cTj . . . . 

Sketch of proof. The idea is to build a transformation system SJ of triples: 

(r, Ti . . . Tp, ?]i . . . T]r) kcj (r', Ti . . . Tp/, Cl • • • Qs) 

such that: 

(i) (r,Ti...Tp) he... be (r',Ti . . .Tp/). 

(ii) If rji . . .r]r is a triangular hyperwell-sorted sequence w.r.t. Cti . . .Tp which uni- 
fies T and verifies t\ . . . TpTji . . .rj^ = cti . . . cr„, then Ci • • • Cs is a triangular hyperwell- 
sorted sequence w.r.t. CTi...Tp> which unifies T' and verifies ti . . . Tp/Ci . . . Cs = 

(Tl . . . U77,. 

Starting with (T, 0, cti . . . cr„) and decreasing step-by-step the complexity of the 
triples w.r.t. a well-founded order, the system SJ reaches a triple with minimum com- 
plexity satisfying T = 0. In these conditions, we can build a sequence of the form: 

(r,0,(Ti . . .(7„) b9...b9 {$,Tl . . .Tp,6i . . .6k) 

and so; 

a) C unifies F w.r.t. £ by ri . . . 

b) 0i...0k is a triangular hyperwell-sorted sequence w.r.t. £ri...Tp verifying 

Cl . . . Cj-i — Ti . . . TpOi . . . Oj^. ■ 

^When required, sequences of unitary substitutions will be analyzed and compared through the 
composition they define. 
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The completeness of C w.r.t. a theory can be lifted to a tableau. First we define 
how to extend the concept of hyperwell-sortedness to tableaux. 

Definition 26 A sequence of unitary substitutions a = [ti/xi'^] . . . is hyper- 

well-sorted w.r.t. a tableau T if for every branch B of T , the subsequence of a that 
only replaces free variables of B, written a\free{B), is hyperwell-sorted w.r.t. the theory 
included in B. 

As with simple theories, we can prove the same result relating well and hyperwell- 
sortedness. Therefore a triangular hyperwell-sorted sequence w.r.t. a tableau T is 
also well-sorted w.r.t. T. 

If T is a closed ground tableau and T' is its related free variable version, then we 
can easily deduce from T different triangular hyperwell-sorted sequences w.r.t. T . 
In Example 19, the two sequences [c/y“ ][a;®/ 2 ® ][a/a;®] and [x^ lz^]\a/x^\[c/y^ ] are 
triangular hyperwell-sorted w.r.t. T'. However, only the hrst one reflects the idea of 
a bottom-up ordering in the introduction of variables by application of q^-rule (the 
last variable introduced by Y is the first variable appearing in the sequence) . In order 
to precise this ordering and specify the sequences that will be lifted, we introduce the 
following concept. 

Definition 27 A sequence of unitary substitutions is well-ordered 

w.r.t. a tableau T if for every I < i < j < n such that there exists a branch B of T 
with Xi,Xj G free{B), it holds Xi G free(B') => xj G free{B'), for every branch B' 
ofT. 

So in a well-ordered sequence, if two variables x and y appear in a branch, and x 
appears before than y in the sequence then, y has been introduced by y’-application 
in every branch where x occurs. This means that the substitution [of f z‘ ]\a/x^]\cly^ ] 
of Example 19 is not well-ordered w.r.t. T' because 2 ® and y“ occur in the second 
branch of T', but only z® occurs in the first branch. 

Erom now on, we will only deal with well-ordered sequences. Eollowing the ideas 
explained in Example 19, it can be easily deduced triangular hyperwell-sorted and 
well-ordered sequences w.r.t. a closed ground tableau. 

In order to get completeness, a result like Theorem 25 is not strong enough because 
it only assures well-sortedness w.r.t. the initial theory; now we have to be sure that 
the obtained C-sequence unifying F is well-sorted w.r.t. the whole tableau T, which 
means that its application is sound, by Theorem 15. So completeness is stated as 
follows. 

Theorem 28 (Completeness for a tableau) Let ai . . .a„ be a ground triangular 
hyperwell-sorted and well-ordered sequence w.r.t. a tableau T. Let T be a set of 
equations, obtained from a given branch B ofT, that is unified by ai . . . a„. Then the 
calculus C unifies F w.r.t. the theory included in B by the sequence t\ . . . Tp, which is 
well-sorted w.r.t. to T, and there exists another sequence 6\.. .9k such that: 

1. 6i .. .9k is triangular, 

2. 9i . . .9k is hyperwell-sorted and well-ordered w.r.t. Tti . . .Tp, 

3. Ti . . . Tp9\ . . . 9k — . . . (Jji. 
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7 Free Variable Tableaux with Sorted Unification 

In this section we take advantage of our sorted unification calculus C, presenting 
the tableau system S2. This system is composed of the rules a, /?, Y, 6' and the 
following unification rule unif. The concepts of closed branch and closed tableau in 
S2 are defined as in iSl. 

Definition 29 (Unification Rule) Let B be a branch of a free variable tableau T 
containing two potentially complementary literals ip and -k/j'. If C unifies the set 
{ip ~ Y} w.r.t. B by the sequence (J\.. .an and such a sequence is well-sorted w.r.t. 
T, then Tai . . .an is a free variable tableau. 

Note the importance of using sequences of unitary substitutions instead of a unique 
substitution. Structuring C-unifiers in unitary substitutions determines whether the 
C-unifier is well-sorted or not w.r.t. the whole tableau. 

Theorem 30 (Soundness of S2) For every set of T,- sentences if ^ has a closed 
tableau then <1> is not satisfiable in structures with non-empty domains, for every sort. 

Completeness of S2 is obtained by a lifting lemma expressing that if we can close 
a ground tableau, then we can close its related free variable version. 

Lemma 31 (Lifting Lemma) LetT be a free variable tableau andai .. .an a ground 
triangular hyperwell-sorted and well-ordered sequence w.r.t. T. Let % be a ground 
tableau such that Ta\ . . .an = %. Then if% is closed, T can be closed. 

Proof. It is enough to prove that we can close a branch R of T using unif via 
a sequence ti . . . Tp, and that there exists a ground triangular liyperwell-sorted and 
well-ordered sequence 9\ . . .9k w.r.t. Tti . . . Tp such that Tti . . . Tp9i . . .9k =%. 

As T) is closed then in B we have two literals of the form P{t) and ^P{i) (w.l.o.g. 
we suppose that P is unary) such that toi . . . cr„ = t'ai . . . an. By Theorem 28, there 
exists a sequence ti . . .Tp such that C unifies the set {t ~ L} w.r.t. R by ti . . . Tp. This 
theorem also assures that such a sequence is well-sorted w.r.t. the whole tableau - then 
we can apply unif - and that there exists a ground triangular hyperwell-sorted and 
well-ordered sequence 9\ . . .9k w.r.t. Tti . . .Tp such that ti . . . Tp9i . . .9k = ui . . . cr„. 
Then Tt\. . . Tp9\ . . .9k = %,■ ■ 

Theorem 32 (Completeness of R2) For every set of T-sentences $, if is not 
satisfiable then <I> has a closed free variable tableau. 

8 Conclusions 

We have presented the logic with term declarations LTD. This is an order-sorted logic 
which extends the classical first-order logic by introducing a new formula constructor 
t £ s, allowing the dynamic declaration of the term t as an element of sort s. 

In [GLMN 97a] we have presented a ground tableau method for an extension of 
LTD with a new kind of formula t Q t! , expressing that the term t is less or equal 
than the term t' in a preordered domain. 
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This time we have studied free- variable tableau versions for LTD. The hrst question 
to be solved is how to dehne sound substitutions of variables in tableaux. As far as 
we know, the only proposal of a similar tableau method [Wei 95] uses an unsound 
substitutivity rule. We have proved that this one and some other possible attempts 
to dehne such a rule fall into error, while our concept of well-sorted substitution a 
w.r.t. a theory of term declarations C avoids unsoundness, by requiring idempotence 
to cr and the explicit declaration t G s in £, for every substituted variable [t/af] of 
cr. This notion entails a certain component of rigidity in the sense that demanding 
{t £ s) £ C assures that the interpretation of t belongs to s, when the valuation of its 
variables is hxed. So the variables of t do not behave as universally quantihed, but as 
constants. 

A free- variable tableau version iSf based on this substitutivity rule is proved sound 
and complete. However there is no improvement w.r.t. the ground tableau version. So 
we have studied how to restrict its application to the closure of branches and we have 
dehned a calculus C for unifying equations w.r.t. a set of term declarations. This 
calculus is sound and complete not only w.r.t. term declaration theories, but also 
w.r.t. tableaux. In both cases, substitutions are structured into unitary components 
[U/xi]] a sequence of such unitary substitutions rehects the idea of an order in the 
introduction of free variables by applications of Y-rule. Finally a free- variable tableau 
version S2 based on this unification rule is proved also complete. 

Acknowledgments: We are greatly indebted to Susana Nieva for helpful discussions 
and comments. 
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Abstract. Tableau and sequent calculi are the basis for most popular 
interactive theorem provers for formal verification. Yet, when it comes to 
automatic proof search, tableaux are often slower than Davis-Putnam, 
SAT procedures or other techniques. This is partly due to the absence 
of a bivalence principle (viz. the cut-rule) but there is another source of 
inefhciency: the lack of constraint propagation mechanisms. 

This paper proposes an innovation in this direction: the rule of simpli- 
fication, which plays for tableaux the role of subsumption for resolution 
and of unit for the Davis-Putnam procedure. 

The simplicity and generality of simplification make possible its extension 
in a uniform way from propositional logic to a wide range of modal logics. 
This technique gives an unifying view of a number of tableaux-like calculi 
such as ••**,•*,••••, hyper-tableaux, ••*,••••. 

We show its practical impact with experimental results for random 3- 
SAT and the industrial IFIP benchmarks for hardware verification. 



1 Introduction 

It is a widespread belief that methods based on the sequent calculus (such as 
tableaux) are hopeless for “real life” satisfiability and validity search. Even for 
decidable problems with a natural appeal for tableaux, such as modal or proposi- 
tional logics, experimental results have shown that other algorithms outperform 
them by orders of magnitude [6,12,16,27,33]. 

The key question is whether such a gap is inherent to tableau methods or 
something is simply missing. The answer is not only of theoretical interest but 
has an extreme relevance for the development of formal verification tools. 

Indeed, variants of the sequent calculus are the main techniques used by 
interactive theorem provers, such as Isabelle [22], PVS [26] or HOL [13]. Those 
provers have successfully tackled hardware and software verification and often 
require to prove some properties in decidable sub-theories such as propositional 

* An comprehensive review of the various results on simplification, including the first 
order case can be found in [18]. 
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logic (e.g. a N-bits binary adder) or fragments of arithmetics [26]. If tableaux 
are “hopeless by nature”, then non sequent-based systems (outside the prover) 
should be consulted as oracles. For instance efficient algorithms for propositional 
logics as one-off “derived rules” for HOL have been proposed in [15]. 

To fill the computational gap, a number of works have improved the effec- 
tiveness of tableau method by switching from ground calculi to free variables 
versions [23,11] with smart skolemisation techniques [1], adding ad-hoc rules 
for modus ponens and tollens [24,7,16,21], imposing regularity conditions [7,17], 
using controlled form of cut [17,7], or factoring and merging [20,32], exploiting 
universal variables [4,3], incorporating features of hyper-resolution [2]. In some 
cases [6] the quest for an efficient implementation has lead from an original 
sequent calculus to a (seemingly different) Davis-Putnam procedure. 

We propose a general technique, which subsumes a number of these appro- 
aches, and whose intuition is due to a comparison between tableaux and their 
“historical competitors” . 

Since the very beginning, the Davis-Putnam-Longeman-Loveland (DPLL for 
short) procedure [9,8], and resolution [25] included rules for the simplification 
of the formulae to be proved unsatisfiable (e.g. unit or subsumption) without 
changing the basic inference mechanism. 

The implementation of this simplification procedures is almost a research 
field in itself [31,33] and difficult problems could hardly (if at all) be solved 
by either resolution or DPLL without using them. On the contrary, even in the 
modern texts on tableaux [11] everything is proved by “first principles”. 

We advocate that the lack of rules for constraint propagation is one of the 
main cause for the computational gap^. Hence we need a simple theoretical 
innovation: an operation that plays for the sequent calculus the same role of unit 
for DPLL and subsumption for resolution. We call it simplification and discuss 
its application to propositional, and modal logics. 

The simplicity and flexibility of simplification makes it possible its application 
to a wide range of logics and logical formalism, as soon as there is sequent 
calculus. The only difficult feature is the enhancement of simplification as we 
“upgrade” the logic. Its effectiveness can enhance the computational power of 
interactive and automatic tableau based provers. 

The introduction of simplification for the sequent calculus provides an unify- 
ing perspective of many (tableau based) deduction techniques and “explains 
away” the characteristic of the DPLL procedure (or KSAT-procedures of [12] 
which are based on DPLL) or KE. For instance the first order version in [8] 
can be “re-interpreted” as a tableau a la Smullyan “plus” propositional simpli- 
fication. Such an interpretation can also explain the comparative inefficiency of 
first-order DPLL versus propositional DPLL (see further [18]). 

We show the practical impact of the operation of simplification on the per- 
formance of tableau methods: a simple Prolog implementation shows essentially 
the same easy-hard-easy computation pattern for random 3-SAT shown by DPLL 

^ This has also been confirmed for modal logics by recent experimental studies [16] 
which clarified the gap between • • • • and tableau based procedures. 




Simplification 219 



[6] even with a a simpler notion of simplification than the full fledged used by 
DPLL. An extensive experimental analysis has also been carried on the industrial 
IFIP (non clausal) benchmarks for hardware verification [5]. 

In the rest of the paper we present the intuitions behind the operation of 
simplification (2) and introduce some preliminary notation (§3). Next, we pre- 
sent the calculus for propositional logics (§4), show how other approaches are 
subsumed (§5) and present the extension to modal logics (§6). Finally, we discuss 
the experimental results (§7), and conclude (§8). 



2 Principles and Intuitions 

We assume a basic knowledge of the sequent calculus (see [28] for an introduc- 
tion). In the sequel formulae are denoted by A, B, C, sets of formulae by F, A 
and sequents by F ==4> A. 

Simplification can be explained by comparing it with subsumption: bottom- 
up methods (resolution) explore the search space by generating new information 
and to simplify the search they retain information to discard (newly generated) 
irrelevant facts. Top-down methods (tableaux) work by breaking existing infor- 
mation and therefore the best way to delete irrelevant information should be 
anticipating the outcome of the search. 

For example, consider the following a-rule: 

F,A,B=^A 
F,AaB=^ A 

After this rule a tableau will continue to break down connectives until a branch 
closure rule can be applied. It looks for something like F, C A,C. 

Yet, after the a-step, there is some information that the calculus does not 
use to anticipate the outcome of its search: when all formulae in F U {A, B} are 
true then A must be true, no matter what A is (equally for B). We can use this 
information about A to simplify F and A before reducing other connectives. 

The simplest way is syntactic search: look for all exact^ occurrences of A in 
F and replace it with the constant T ; next perform some boolean operations to 
eliminate T and T from the formula; only afterwards continue with other rules. 

The computational pay-off may seem doubtful: some time must be spent 
for scanning the formula replacing the occurrences with T ; eliminate boolean 
constant and so on. So what could be the gain? 

Intuition 1. The sequent proof of F A is potentially of size 0(21'^^'^) [30]. 
If can reduce F A to F* A* so that its size decreases, if only by 1, we 
would reduce the potential search space at least by half. 

We trade off some polynomial processing for an exponential gain: scanning the 
formula and looking for “exact” copies can be done in polynomial time. 

^ With modal connectives or variables it is not so simple but this is just the intuition. 
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Hence, if there is at least another occurrence of A (or B) in B, it always pays 
off to replace this occurrence with T : the resulting sequent will be smaller and 
thus the proof tree below will also be (exponentially) smaller. 

We would like simplification to be 

— locally applicable to single formulae; 

— a sound and complete admissible rule for the underlying calculus; 

— substantially a rewriting rule] 

— a rule requiring polynomial time; 

— such that the resulting formulae are (potentially) smaller. 

Soundness is obvious. We need completeness only if we impose that simplification 
is applied before other rules. If rules can be applied in any order, incomplete 
simplification would be an “unsafe” rule over which we may backtrack [22]. 

Local applicability is also a key property and leads to rules like “simplify 
B using H” . The advantage of this definition and the rules we propose is that 
when we “upgrade” the logic we do not have (in general) to change the rules but 
only to specify the behavior of the operation for the new connectives we have 
introduced. The flexibility and modularity makes it easy also to upgrade current 
implementations with these techniques. 

3 Notation and Terminology 

For an introduction to tableaux for propositional logic see [11,28] and [10,14] for 
propositional modal logics. 

We construct propositional formulae A, B, C from a set of propositional 
atoms p,q G V and the boolean constants T and T with the logical connec- 
tives A, V, - 1 , D etc. Propositional modal logics are obtained by adding the 
unary operators □ (necessity) and O (possibility). 

For sake of modularity we use signed formulae and the a, (3, tt notation 
of Smullyan [28] and Fitting [10]. Thus a signed formula, denoted by (p and tp, 
is a pair t.A or f.A. In particular t.A (f.H) is a formula with positive (resp. 
negative) sign. If H is a propositional letter we say that it is a signed atom. The 
intuitive interpretation is that A is assumed to be respectively true and false. 
The conjugate ^ of a signed formula (p is obtained by switching t . with f . and 
vice versa. The uniform classification of formulae is given in Table 1. 

Sets of formulae are represented by B and A and a sequent, written using 
Gentzen notation, is the pair B A. With signed formula the sequent B A 
is represented as a set S of signed formulae as follows: S = {t.H|HGT}U 
{f.A I A G A}. We abbreviate S U {ip} as S,p. In this set-oriented framework 
the usual structural rules such as weakening and contraction become redundant. 

4 Propositional Logic 

The rules and axioms of the calculus are given in Fig. 1. The only new rule is 
denoted by (simp), and we call it local simplification. The use of signed formulae 
makes the definition of rule (simp) extremely compact. 
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no 


7T 


7T0 


t.aA 

f.OA 


t.A 

±.A 


f.nA 

t.OA 


t.A 

t.A 



a 


Ol, 02 


t.^A 

f.-.A 


i.A 

t.A 



P 


Pi P2 


i.AAB 
t.A V B 
t.A D B 


f .A f.B 
t.A t.B 
t.A t.B 



a 


Ql OL2 


t.A A B 
t.A V B 
t.A D B 


t.A t.B 
t.A t.B 
t.A t.B 



Table 1. Uniform notation 



S, ai, 02 
S, a 



(o) 



S, l3i S, P 2 



{P) 






{simp) 



S 

S,ip 



{thin) 



S,i.T 



(T) 



5,t._L 



(i) 



S,<p,<p 



{Ax) 



S,<p S,ifi 

S 



{cut) 



Fig. 1. Propositional Sequent Rules with Simplification 



Rule {thin) is not necessary and rule {cut) can be eliminated without hinde- 
ring soundness and completeness [28,11], although it may impact the computa- 
tional complexity [7]. We introduce them to show that some particular forms of 
simplification are derived by using them in combination with {simp). 

The definition of sequent tree and proof are standard [11,28]: a sequent tree is 
a dyadic tree where each node is labelled by a sequent, the root is labelled with 
the sequent we are trying to prove and, for each node, its children are labelled 
with the corresponding consequents of a rule of the calculus. A proof is a sequent 
tree where each leaf is labelled with an axiom. 

The next tool of our machinery, is the definition of the proper operation of 
simplification '>p[ip\. Signs will be left unchanged by simplification and we have 
just to specify the progression over formulae. In the following definition j] is any 
binary (propositional) connective. 



A[ip\ I 



T if ip = t.A 

T elseif p = i. A 

-<{B[(p]) elseif A = -•B 

B[p] H C[p] elseif A = B'^C 

A otherwise 



( 1 ) 



By A = B we mean, at this preliminary stage, syntactic identity. So A A i? is 
different from B A A. Further extensions, where the commutative properties of 
the connectives are considered, are described in the following subsections. 

There is a number of observations worth making: 



1. we do not only reduce branching, we get smaller and simpler formulae 

2. the operation of simplification is parametric w.r.t. the connectives used; 
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A,B = 
A,AZiB. 



B,C 
^ B,C 



MP 



A,C = 
A,AdC : 



B,C 



A,(Ad B)V {Ad C),D ^ A 
A, {A D B) V {A D C) => D D A 



A, (Ad B)V {Ad C) ^ B,C 
A,{Ad B)V {Ad C) ^ BV C 



B,C 



/3a 



A, (A D B) V (A D C) => {D D A) a{BV C) 

A => {A D B) V {A D C) D {D D A) /\ {B V C) 

^ A D ((A D B) V {A D C) D {D D A) /\ {B V C)) 



MP 

/3v 



A,B\/C^B\/C 
A^ By C D By C ^ 

A^ {{Ad B)y {Ad C) D {D D A) A {By C)) 
A D {{A D B) y {A D C) D {D D A) A {B y C)) 



szmp-t.^ 



Fig. 2. • • • • modus ponens versus simplification 



3. the simplifying formula tp needs not be a literal nor have any normal form; 

4. without restriction, simplification can proceed recursively down any level of 

nesting of propositional connectives. 

The last step is one of the key differences with modus ponens and tollens 
applied in HARP [21], the KE /3°-rules [7] and the V — simpo.i-^nle used in [16]. 
Indeed we will show that they are particular forms of simplification where the 
recursion is stopped at the main connective of ip. 

Theorem 1. Simplification (simp) is a sound and complete (invertible) rule for 
propositional logic. 

Proposition 1. For propositional logic the size of if [ip] is never larger than the 
size of Ip. It is strictly smaller whenever (p occurs as a subformula in ip. 

An example is shown in Fig 2 where we compare simplification with the 
rule of Modus-Ponens in HARP. To simplify the notation we assume the usual 
associativity precedence of A over V and of those two connectives over D and 
use the F A notation in the obvious way. 

Of course one may argue that the pattern A and (A D B) V (A D C) could 
be easily recognized but it is also easy to change it substantially; for instance 
as (A D B) V ((A A ~'B) V D D C). This formula can still be proved with local 
simplification without any branching whereas HARP’s proof is harder than the 
one shown in Fig. 2. Moreover the point of simplification is that we do not want 
to remember a lot of particular patterns. 

There is another advantage: with open branches simplification leads to fewer 
and smaller eounter-models, i.e. it sets the truth value of fewer propositions. For 
example one may try t.pA {r A~'{q Dp) A q). “Normal” tableaux have four open 
branches: the first (left-to-rigth) is {t.p, f.r}, then {t.p,f.q}, followed by {t.p} 
and {t.p,t.q}. The application of simplification yields only the model {t.p}. 
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5 Subsuming Other Approaches 



A wide variety of rules used by tableau provers turn out to be restricted and 
shallow forms of simplification. Here we consider the case for the unit of DPLL [9], 
the /3'^-rules of KE [7], the Modus ponens and tollens of HARP [21], hyper-tableau 
expansions [2] and boolean constraint propagation [19]. 

First consider DPLL unit: “let I be a unit clause, delete every clause which 
contains I and delete any occurrence of I from the remaining clauses” [8]. 

Suppose we have F, I 0 where F is set of clauses and we apply simplifi- 
cation to all formulae of F. By applying the boolean reductions _LVhV...l„i-f 
/i V . . . V /„ and T V h V . . . i-f T, and finally T A Ci A . . . A C„ i-l- Ci A . . . A C„ 
we obtain the same result of the unit rule. 

Fact 1. The DPLL-unit rule is derived by the sequent calculus with the (simp)- 
rule restricted to signed atoms, when S is a set of clauses with positive sign. 

Boolean constraint propagation is an inference system where the unit rule is the 
only rule of inference. Hence we subsume directly also the BCP system [19]. 

Then, we simply need to restrict the application of the cut rule to atomic 
proposition to make the following observation: 

Fact 2. The DPLL procedure is derived by the sequent calculus with rules (simp), 
(cut) and (thin) restricted to signed atoms, when S is a set of clauses with 
positive sign. 

The reason for the successes of the split-rule of DPLL or the folding operation 
with unit lemmata [17] is indeed their combination with (hidden) unit simpli- 
fication: we add a unit literal (the negation of the left-hand side), we apply 
simplification (unit) and then use thinning to eliminate the literal. So the size 
of the right subtree is never larger. 

Equally, the /3°-rules of KE from [7] are a generalization to signed formulae of 
the modus ponens and modus tollens of HARP [21] and the V — szmpo,i in [16]. 
Reversed bottom-up from their original tableau-notation they are as follows: 

S, hi Pi gc /3ll 1^2 gc 



It can be easily shown, by cases, that they are extremely restricted form of 
simplification. For instance consider the following instance of /3J: 



F,B=>A,A 
F,AV B A,A 



F, {AV B)[f.A] ^ A, A 



F,AV B ■ 



A, A 



simpf,A 



If we applied the full-hedge version of simplihcation we would have had: 

{A\/ B)[f.A] A[f.A] \/ B[f.A] h> ±\/ B[f.A] h> B[f.A] 

Thus, while KE only yields B, the full hedged use of simplihcation would have 
given us B[f.A\. If A occurred somewhere in B simplihcation would have reduced 
B and, in general, shortened the proof further. 
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Fact 3. The /3f rules for KE are instances of the simplification rule, restricted to 
(3-formulae and such that recursive simplification stops at the main connective. 

As a simpler corollary we get: 

Fact 4. Modus ponens, tollens etc. o/ HARP and the V — simpo^i rules in [16] 
are instances of the simplification rule (simp), when recursion stops at the main 
connective of S formulae and it is only applied to formulae of particular forms. 

The extension step of hyper-tableaux [2] can also be subsumed: 

Fact 5. The expansion rule of propositional hyper tableaux [2] is derived by the 
sequent calculus with (simp) restricted to atoms, a restriction on the application 
of the (3-rules ((3-formulae must not contains negated atoms), when S is a set of 
clauses with positive sign. 

The next restriction that is imposed on clausal tableau proofs or model elimi- 
nation techniques is regularity [2,7,17,32,30]: a literal should never appear twice 
on a branch. In the setting of propositional logic and clausal theorem proving 
(such as [2,17]) this is equivalent to saying that a clause is never selected for the 
extension of a branch in the tableau if the extension step (an n-ary /3-rule) will 
yield a literal to appear twice. It is a system to constrain the search space and 
in particular the non-determinism in the selection of clauses for reduction. 

Since we use sequents as sets, and are not restricted to clausal normal form we 
rephrase it in more general terms: a proof is regular iff all subformulae introduced 
bya,/3 rules (i.e. /3i, /32, Oi, « 2 ) do not occur already in the sequent 5 before the 
application of the rule. 

Fact 6. If simplification is given precedence over other rules then all propositio- 
nal tableaux proofs are regular. 

We can devise more powerful forms of simplification if we replace A and V, 
which are commutative, associative and idempotent, with set-oriented versions 
/\ {} and V {}• For instance AaAABA^CVDVE) f\ {A, B, V {C, D, E}}. This 
is already a simplification since we eliminate duplicates. This topic is described 
in more details in [18]. In the experiments mentioned in §7 this is obtained by 
using Prolog lexicographically ordered lists (without repetitions). 

It has been sometimes argued that the use of the name TABLEAU in [6] was 
somehow misleading since it was an efficient implementation of DPLL. In the 
light of the results of this paper the choice of the name was indeed correct. 

6 Modal Logics from K to S5 

A wide range of tableau and sequent calculi have been proposed for modal logics 
(see e.g. [10]). For simplicity, we use the Gentzen-like formulation without adding 
extra-logical symbols. These techniques can be adapted to prefixed systems [10]. 

The rules are shown in Fig. 3. Different logics can be obtained by changing 
the operation S*. The same figure list the cases for the major modal logics 
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Modal Rules Logic Composition of S* Logic Composition of S* 

S*,TVo • {t'o I G 5} • {uo \ u G S} 

5 , 7 t ^ •* {vo,v\iyGS} •* {v \ V G S} 

• *• {iyo, TI" I 7T G 5} •* {u,TV \ iy,TV G S} 

S, Vo 

^ 

o, V Rule V is only used for logics * 



Fig. 3. Modal Sequent Rules 



of knowledge and belief^ [10,14]. Deontic variants are obtained by waiving the 
requirement to have a tt- formula (and the corresponding tto) in the 7r-rule. 

We do not need to change our general framework nor to impose clausal 
normal form, as done in KSAT [12] to apply propositional DPLL. We inherit all 
propositional rules including simplification. We simply need to specify how A[ip\ 
will behave in presence of □ and O. 

The simplest way is to consider UB or <>B as atoms (“modal atoms”) and 
apply boolean simplification. This is already sufficient for a speed-up [12,16]. 

Fact 7. Basic KSAT is an instance of the modal sequent calculus for logic K with 
propositional simplification, S contains only modal- CNF formulae with positive 
sign and with only the □ operator. 

This restriction is such that KSAT may not even simplify directly Op A O-ip 
without reduction to normal form. 

To enhance simplification we look inside modal atoms. We skip boolean rules 
as they remain unchanged. The new (interesting) cases in the simplification of 
A[(p\ are those where is a modal formula i.e. either a v formula or a 7r-formula. 
The uniform notation gives extremely elegant rules. 

Modal-K simplification is the simplest: 

( 0{B[vo]) A A=OB 
A[v\ I— >■ < <>{B[vq\) a a= <>b 

[ . . . as for propositional logic 

The idea is that if we want to simplify OA with [t.nC] (a i/-formula) then we 
can exploit the properties of the modal operators and transform this operation 
in the simplification of A with [t.C] (the corresponding i/g-formula) . 

In a nutshell, while propositional connectives leave the simplifying formula 
unchanged in the recursive steps (see §4 and reduction (1)), the semantics of the 
modal operators is such that we must do the recursion on the subformulae of 
both the simplified and the simplifying formula. 

® With this sequent calculus a la Fitch, analytic cut is not eliminable for strong com- 
pleteness of the logic • • . One has to resort to prefixed systems to avoid it [10]. 
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For instance suppose we have 0(Dp D n(p D r) V O-r) and want to simplify 
it with the ^/-formula t.DDp. Then we get the following computation: 

(0(Dp D n(p D r) V o-ir))[t.nnp] 

D n(p D r) V 0-ir)[t.Op]) 

i->-booi 0((Op)[t.Op] D (0(p D r))[t.Dp] V (0-.r)[t.Dp]) 

<>(T D 0((p D r)[t.p] V <>(-ir[t.p]) 

H>{,ooi 0(nr V O-ir) 

Modal-KA simplification exploits directly the properties of transitivity (represen- 
ted by the axiom OA D □□A): 

( n{B[i'][iyo]) if A = OB 
A[v\ I— >■ < <>{B[v\[ufi\) if A = OB 

[ . . . as for propositional logic 

This means that for any logic containing the transitivity axiom we can first 
simplify B with v and then simplify the result with ng- The presence of the 
transitivity adds a further level of simplification with respect to logic K. 

Notice that the recursive call to simplification always terminates since the 
nesting of modal operators decreases in the simplified formula. For instance one 
may try the previous example with t.Op as the simplifying formula. 

Modal-K5 simplification is the following 

A[v\ I— >■ □(B[t'o]) if ^ = Fli? 

A[v\ I— >■ 0(S[r'o]) if ^ = OB 
A[k\ I— >■ □(B[7r]) if A= DB 
A[k\ I— >■ 0{B[tt\) if A = OB 

The rule can be understood by considering the corresponding axiom, OA D 
□OA: it tells that possibility-like formulae can propagate inside modalities. 

The calculus for K45 uses the simplification procedures of both K5 and K4: 

□ [:^o]) if = OB and p = v 

0{B[v\[ufi\) if A = OB and ip = v 
^[i^] I— >■ < n(i?[7r]) if A = OB and (f = tt 

0(i?[7r]) if A= OB and ip = ir 

as for propositional logic 

Theorem 2. The rules for L-Modal simplification, where L is one of K,T, K4, 
S4, K45, S5, is a sound and complete (invertible) rule. 

Proposition 2. For the propositional modal logics K,T, K4, S4, K45, S5, the 
size ofif[p] is never larger than the size ofip. 

7 Experimental Analysis 

We performed experiments for both propositional and modal logics For propo- 
sitional logics we have used the random 3-SAT and the IFIP benchmarks"^. 

The benchmarks are available at http://www.dis.uniromal.it/~massacci/ifip 
both in and prolog format. 
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We have used a tableau prover (Beatrix) implemented in sicstus prolog. 
Beatrix has been designed in the spirit of lean tableau theorem proving [4] with 
few modifications. At first, we used set oriented connectives implemented with 
prolog ordered lists without repetitions, e.g. the formula oi A 02 A (61 V 62 ) is 
represented by the prolog list [conj,al,a 2 , [disj ,bl ,b 2 ] ] . The benchmarks 
are easier to represent in this way. Second we used prolog lexicographic ordering 
among formulae, reduced conjunctions before disjunctions and small formulae 
before large ones. Finally, before applying an a or /3 rule to a formula ip we 
use ip to simplify all other formulae in the current sequent. Formula are reduced 
off-line in negation normal form (without any optimizations) as in leanTAP. The 
machine used was a workstation Sun SuperSPARK (time is in seconds) . 

To make the comparison more interesting we used two /3-rules: the standard 
rule of Fig. 1 and the asymmetric rule for a limited form of cut [7,17]: 



5,/3i 5,/32 



Dir 



5,/3i 5,/3 i,/32 

5;^ 



Lem 



A simple implementation is already sufficient for interesting conclusions wrt 
the relative gains of simplification and lemmaizing. In the following tables the 
normal /3 rule is denoted by “Dir” and the lemmaizing version by “Lem” . 



Remark 1. None of the problems listed here could be solved by Beatrix with- 
out simplification in any reasonable amount of time (one night), no matter the 
branching rule. So analytic cut does not necessarily helps for hard problems. 

Thus, we do not show the benchmark results for Beatrix without simplification 
(in practice an enhanced version of leanTAP) since it would be an empty column 
except for the easiest formulae (first line of the table) of the 3-SAT benchmark. 

Table 2 shows the result for the standard random distribution of 3-SAT®: 
3—sat{V, C) means that samples had C clauses, with 3 literals selected uniformly 
among V variables and each literal negated with probability 0.5. 

A number of experimental studies [6,12] have shown that DPLL (and in- 
deed most complete satisfiability checking procedures) exhibits an easy-hard- 
easy computation pattern as the ratio between the number of clauses and varia- 
bles increases, with the hardest formulae around C/V = 4.2 — 4.3. This pheno- 
mena has been sometimes attributed to the “semantical” branching described 
by the splitting rule of DPLL. On the contrary we have found out the following: 



Fact 8. For random 3-CNF local simplification produces already the easy-hard- 
easy pattern. Only in the transition region lemmaizing improves the performance. 

Apart from the CNF benchmark we have tested our implementation on the 
IFIP benchmarks for hardware verification [5]. These benchmarks are known to 
be hard for DPLL [29] and are formulated in non clausal form, with an extensive 
use of equivalences (=) and exclusive or (©). Each problem requires to prove 

® After C = 10 X F a linear relation between C and running time is due to inefficient 
list management by prolog. 
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Table 2. Benchmark on Random 3-SAT 



Problem 


Dir 


Lem 


Problem 


Dir 


Lem 


3-sat(32,96) 


.3 


.2 


3-sat(64,192) 


1.4 


1.0 


3-sat(32,128) 


3.9 


1.2 


3-sat(64,256) 


334.6 


38.4 


3-sat(32,136) 


6.1 


1.8 


3-sat(64,272) 


554.3 


56.4 


3-sat(32,144) 


6.9 


2.1 


3-sat(64,288) 


1,050.9 


72.0 


3-sat(32,160) 


8.2 


2.4 


3-sat(64,320) 


568.6 


60.0 


3-sat(32,192) 


7.7 


2.6 


3-sat(64,384) 


240.3 


39.4 


3-sat(32,224) 


6.0 


2.2 


3-sat(64,448) 


139.3 


30.6 


3-sat(32,256) 


5.3 


2.3 


3-sat(64,512) 


74.3 


23.5 


3-sat(32,288) 


4.9 


2.3 


3-sat(64,576) 


69.6 


21.8 


3-sat(32,320) 


4.8 


2.4 


3-sat(64,640) 


59.6 


20.4 


3-sat(32,640) 


5.9 


3.7 


3-sat(64,1280) 


38.2 


19.8 


3-sat(32,1280) 


10.5 


6.5 


3-sat(64,2560) 


52.3 


24.9 



Spec 



cari 

sorrii 

301712 

_ cout° 



(ai A bi), 

(ai © &i), 

(a2 © &2 © cari), 

(((ffl2 V 62) A cari) V (02 A 62)), 



Impl 



' couti = (61 A oi)), 
som\ = -i((-'ai A -ifci) V (ai A 61)), 

301712 = “'((((“'02 A “'&2) V (o2 A 62)) A ^COUtl)V 
V(couii A “'((“'02 A “'62) V (02 A &2)))), 
COMf® = ((02 A couti) V (&2 A couti) V (o2 A 62)) 



S'pec U 7mpl 



(somf 



3 omi) A (301112 = 301112) A (cout” = ccmt'') 



Fig. 4. A two-bit ripple adder rip02 . be 



that the outputs of two circuits are equivalent i.e. the specification is equivalent 
to the implementation. 

An example is shown in Fig. 4 as a sequent to be proved. It is a simple 2-bits 
binary ripple adder: it takes four bits of input (oi and bi) and returns three bits of 
output: the sums soirii and the carry cout. The two circuits are described by two 
sets of equivalences, each equivalence defining the output of a sub-circuit. The 
“upper” part in Fig. 4 describes the specification and the “lower” part describes 
the implementation. Using this description we must derive a (sequent) proof of 
the equivalence of the respective outputs. 

In practice all have been solved except large multipliers, which are hard 
also for BDDs, timed out after 10 minutes (for a comparison between DPLL 
and OBDDs see [29]). Satisfiable formulae (marked by *) are solved within few 
milliseconds. What is more interesting here is the comparison with a standard 
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Table 3. Simplification versus 



Problem 


fast_tac 


ifip_tac 


Problem 


Dir 


Lem 


ex2 


13.1 


1.3 


ex2 


0.0 


0.0 


transp 


43.8 


0.2 


transp 


0.0 


0.0 


rise 


- 


9.8 


rise 


0.4 


0.6 


counter 


- 


68.8 


counter 


0.1 


0.1 


hostintl 


- 


96.5 


hostintl 


0.3 


0.2 


mul 


- 


130.9 


mul 


0.4 


0.2 



Prob. 


fast_tac 


ifip_tac 


Prob. 


Dir 


Lem 


rip02 


2848.2 


1.6 


rip02 


0.0 


0.0 


rip04 


- 


994.5 


rip04 


0.5 


0.6 


rip06 


- 


- 


rip06 


3.0 


3.0 


rip08 


- 


- 


rip08 


18.2 


18.4 



Table 4. Run times on IFIP Benchmarks 



Problem 


Dir 


Lem 


Problem 


Dir 


Lem 


Problem 


Dir 


Lem 


Problem 


Dir 


Lem 


counter 


0.1 


0.2 


ztwaalfl 


0.8 


0.8 


addl 


24.4 


12.2 


alupla20 


784.0 


618.1 


d3(*) 


0.1 


0.1 


ztwaalf2 


0.8 


0.4 


alu 


21.3 


7.1 


dc2 


149.7 


12.5 


dk27 


2.2 


2.3 


mjcg_no (*) 


0.0 


0.0 


dkl7 


19.8 


3.0 


sqn 


297.7 


11.2 


ex2 


0.0 


0.0 


mjcg_yes 


1.8 


1.1 


f51m 


21.4 


5.7 


z9sym 


166.8 


9.8 


hostintl 


0.2 


0.2 


mp2d 


3.7 


1.1 


table 


13.9 


2.8 


mul03 


- 


20.1 


misg 


0.7 


1.0 


rip02 


0.0 


0.0 


vg2 


12.8 


7.0 


pitch 


- 


5.7 


mul 


0.2 


0.2 


rip04 


0.4 


0.5 


xldn 


13.4 


7.2 


rd73 


- 


30.4 


rise 


0.4 


0.5 


rip06 


2.9 


2.9 


z4 


2.9 


2.3 


rom2 


- 


2.5 


transp 


0.0 


0.0 


rip08 


18.2 


18.4 


z5xpl 


11.5 


4.1 


root 


- 


33.7 



interactive prover such as Isabelle [22]. This is shown in Table 3, where fastJac 
is the standard automatic tactic used in Isabelle, and ifipJac applies fast-tac 
after a pre-processing step which eliminates the equivalences by substituting 
each defined proposition with the corresponding formula (sub-circuit). Notice 
that also this preprocessing step, which eliminates abbreviations and leaves only 
“natural” (in)equivalences (at the price of an increase in size), is not enough. 

The scaling factor for problems such as ripOn.be is more interesting than the 
absolute values. Absolute values simply tell us about the relative efficiency of lean 
proving in prolog vs big provers in ML, somehow strengthening the argument of 
[4]. The gap in the scaling factor (a factor of 1000 for Isabelle in the passage from 
ripOn to ripOn -I- 2 is matched by a factor of 10 for Beatrix) tells that the use 
of simplification can substantial increase the tractability threshold for tableau 
calculi. Further benchmarks are shown in Table 4. 

The experiments on modal logics lead to the same results noted in [16] on the 
gap between “standard” tableaux and KSAT : after the introduction of (limited) 
simplification, the gap claimed by Giunchiglia & Sebastiani [12] disappears. 

Intuition 2. Simplification is a must (and a win) for efficient tableau provers, no 
matter if you use cut or not. 
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8 Conclusion 

In this paper we have shown how the introduction of a simple technique called 
simplification may boost the deduction capabilities of tableau methods. It plays 
the same role of unit for DPLL and subsumption for resolution and provides a 
uniform framework which subsumes a number of techniques for the improvement 
of tableau-based methods. 

Its flexibility and its simplicity make it possible its incorporation into sequent 
based interactive theorem provers used for hardware and software verification. 
Moreover there is no need of black-boxes since the computational effectiveness 
of DPLL and KSAT can now be compiled into standard sequent-based tactics. 

While propositional and modal logics can be uniformly treated without much 
changes, the effective use of simplification for first order logic requires more 
advanced techniques. This topic is further discussed in [18]. 

At the end, there is a criticism we may have to face: after adding all these 
simplifications to sequent calculi are not we abandoning the calculus itself? 

The answer is a question: is resolution with subsumption no longer resolution? 
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Abstract. Coping with ambiguity has recently received a lot of atten- 
tion in natural language processing. Most work focuses on the semantic 
representation of ambiguous expressions. In this paper we complement 
this work in two ways. First, we provide an entailment relation for a 
language with ambiguous expressions. Second, we give a sound and com- 
plete tableaux calculus for reasoning with statements involving ambigu- 
ous quantification. The calculus interleaves partial disambiguation steps 
with steps in a traditional deductive process, so as to minimize and post- 
pone branching in the proof process, and thereby increases its efficiency. 



1 Introduction 

Natural language expressions can be highly ambiguous, and this ambiguity may 
have various faces. Well-known phenomena include lexical and syntactic ambi- 
guities. In this paper we focus on representing and reasoning with a different 
source of ambiguity, namely quantihcational ambiguity, as exemplihed in (1). 

(1) a. Every man loves a woman. 

b. Every boy doesn’t see a movie. 

The different readings of (l.a) correspond to the two logical representations in 

(2) a. yx {man{x) ^ 3y {woman{y) A love{x,y))). 
b. 3y {woman{y) A Va; {man{x) — > love{x, y))). 

We refer the reader to [KM93,DP96] for extensive discussions of these and other 
examples of quantihcational ambiguity. All we want to observe here is this. Ex- 
amples like (l.a) have a preferred reading namely the wide-scope reading rep- 
resented by (2. a)). Additional linguistic or non-linguistic information, or the 
context, may overrule this preference. Eor instance, if (l.a) is followed by (3), 
then the second reading (2.b) is preferred. But if (l.a) occurs in isolation, then 
the hrst reading (2. a) is preferred. 

(3) But she is already married. 

* The research in this paper was supported by the Spinoza project ‘Logic in Action’ 
at the University of Amsterdam. 
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Clearly, if we want to process a discourse from left to right and take the con- 
text of an expression into account, our semantic representation for (l.a) must 
initially allow for both possibilities. And, similarly, any reasoning system for 
ambiguous expressions needs to be able to integrate information that helps the 
disambiguation process within the deductive process. 

Although the problem of ambiguity and underspecification has recently en- 
joyed a considerable increase in attention from computational linguists, computer 
scientists and logicians (see, for instance, [DP96]), the focus has mostly been on 
semantic aspects, and deductive reasoning with ambiguous sentences is still in 
its infancy. 

The aim of this paper is to present a tableaux calculus for reasoning with 
expressions involving ambiguous quantihcation. An important feature of our 
calculus is that it integrates two processes: disambiguation and deductive rea- 
soning. The calculus operates on semantic representations of natural language 
expressions. These representations contain both ambiguous and unambiguous 
subparts, and an important feature of our representations is that they represent 
all possible disambiguations of an ambiguous statement in such a way that un- 
ambiguous subparts are shared as much as possible. As we will explain below, 
compact representations of this kind will allow us to keep ambiguities ‘localized’ 
— a feature which has important advantages from the point of view of efficiency. 

In setting up a deductive system for ambiguous quantification we have had 
two principal desiderata. First, although this is not the topic of the present pa- 
per, we aim to implement the calculus as part of a computational semantics 
work bench; this essentially limits our options to resolution and tableaux based 
calculi. Second, to incorporate information arising from the disambiguation pro- 
cess within a proof system, the proofs themselves need to be incremental in the 
sense that at any stage we have a ‘partial’ proof that can easily be extended to 
cope with novel information. We believe that a tableaux style calculus has clear 
advantages over resolution based systems in this respect. 

The paper is organized as follows. A considerable amount of work goes into 
setting up semantic representations and a mechanism for for recording ambigu- 
ities and disambiguations in such a way that it interfaces rather smoothly with 
traditional deductive proof steps. This work takes up Sections 2 and 3. Then, 
in Section 4 we present two tableaux calculi, one which deals with fully disam- 
biguated representations of ambiguous natural language expressions, and a more 
interesting one in which traditional tableaux style deduction is interleaved with 
partial disambiguation. Section 5 contains a detailed example, and Section 6 
provides conclusions and suggestions for further work. 

2 Representing Ambiguity 

Lexical ambiguities can be represented pretty straightforwardly by putting the 
different readings into a disjunction. (Cf. [Dee96,KR96] for further elaboration.) 
It is also possible to express quantihcational ambiguities by a disjunction, but 
quite often this involves much more structure than in the case of lexical ambi- 
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guities, because quantificational ambiguities are not tied to a particular atomic 
expression. For instance, the only way to represent the ambiguity of (l.a) in a 
disjunctive manner is (4). 

(4) \/x{man{x) — > 3y {woman{y) A love{x,y))) 

V 3y {woman{y) A Vx {man{x) — > love{x, y))) 

Obviously, there seems to be some redundancy, because some subparts appear 
twice. If we put indices at the corresponding subparts, as in (5) below, we see that 
these subparts are not proper expressions of first-order logic, except subpart k. 

(5) yx {man{x) — > . 3y {woman{y)A . love{x,y) )) 

V 3y {woman{y)A . Vx {man{x) . love{x, y) )) 

J 1 k 

The difference between the readings lies not in the material used, both readings 
are built from the parts i, j and k, but in the order these are put together. 

A reasonable way to represent improper expressions like i and k is to ab- 
stract over those parts that are missing in order to yield a proper expression 
of first-order logic. [Bos95] calls these missing parts holes. Roughly speaking, 
they are variables over occurrences of hrst-order formulas. To distinguish the 
occurrence of an expression from its logical content, it is necessary to supple- 
ment first-order formulas with labels. Holes may be subject to constraints; for 
instance, the semantic representations of verbs have to be in the scope of its 
arguments, because otherwise it may happen that the resulting disambigua- 
tions contain free variables. So we do not want to permit disambiguations like 
\/x{man{x) — > love{x,y) A 3y {woman{y))) . These constraints are expressed by 
a partial order on the labels. 

Definition 1 (Underspecified Representation). For i G IN, let hi a new 

atomic symbol, called a hole. A formula ip is an h-formula, or a formula possibly 
containing holes, if it is built up from holes and atomic formulas from first-order 
logic using the familiar boolean connectives and quantifiers. 

Next, we specify the format of an underspecified representation UR of a nat- 
ural language expression. An underspecified representation is a quadruple {LHF, 
L, FI , C) consisting of 

1. A set of labeled h- formulas LHF. 

2. The set of labels L occurring in LHF. 

3. The set of holes H occurring in LHF. 

4-. A set of order- constraints G of the form k <U , meaning that k has to be a 
subexpression of k' , where k,kf G LU H and C is closed under refiexivity, 
antisymmetry and transitivity. 

An obvious question at this point is, how does one associate a UR with a given 
natural language expression? We will not address this issue here, but we will 
assume that there exists some mechanism for arriving at URA, see for example 
[K6n94]. For notational convenience we write UR{S) for the underspecified rep- 
resentation, associated with a sentence S. By way of example, we reconsider (4) 
and obtain the following underspecified representation: 
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(6) ({^0 : ho, h : \/x {man{x) hi),l2 : 3 y (womanly) A / 12 ), h ■ love{x, y)}, 
{^ 0 , ^ 3 }, 

{ho, hi, h2, ho}), 

closure{{li < ho,h < ho,h < hi,lo < ^, 2 }) 



There are two possible sets of instantiations, ti and t2, of the holes ho, hi, /12, 
ho in (6) which obey the constraints in (6): ti = {ho := h,hi h,h 2 '■= lo} 
and L2 = {ho := I2, h2 '■= li, hi := Z3}. 

It is also possible to view UR's as upper semi-lattices, as it is done in [Rey93] : 



h 




yx{man{x) 



3y{woman{y) A h 2 ) 



lo : love{x,y) 



For each instantiation of the holes there is a corresponding substitution cr(t) 
which is like i but h := (p G a{i) iff there is a I, such that I : p G LHF and 
h 1 = I G i. 

The next step is to define an extension of the language of first-order logic, C, 
in which both standard (unambiguous) expressions occur side by side with the 
above underspecified representations. The resulting language of the language of 
underspecified logic, or £“ for short, is the language in which we will perform 
deduction. 



Definition 2 (Underspecified Logic). A formula p is a formula of our un- 
derspecified logic or a u-formula, that is, a formula possibly containing un- 
derspecified representations, if it is built up from underspecified representations 
and the usual atomic formulas from standard first-order logic using the familiar 
boolean connectives and quantifiers. 



Example 1. As an example of a more complex u-formula consider the semantic 
representation of if every boy didn’t sleep and John is a boy, then John didn’t 
sleep. 



( 



/ 

li : 

V 




lo '■ sleep (x) 



\ 

/ 



A boy{j) ) ^ ^sleep{j) 



Definition 3 (Total Disambiguations). To define the total disambiguation 
6{p) of a u-formula p, we need the following notion of a join. 

Given an underspecified representation {LHF , L, H , C) and k, U, k" G LUH 
and k" < k,k' G C then k” is the join of k and H , kUk' = k" , only if there is 
no k'" gLuH and k'" <k,k' gC and k"' > k" G C. 

Then, by 6{p) we denote the set of total disambiguations of the u-formula p, 
where for all d G 6{p), d G L. For complex u-formulas 6 is defined recursively: 




236 C. Monz and M. de Rijke 



1 . 6{{LHF,L,H, C}) = the set of LHFcj{l) such that 

(i) i is an instantiation and cr(c) is the corresponding substitution 

(ii) Hi = L 

(Hi) for all I, I' G L, if I Li I' is defined, then I < I' G closure{CL) or I' < I G 
closure{C l) 

2 . d{-^Lp) = { ^d \ d G 6{(f) } 

3. b{ip o'tj})={dod!\dG d{ip), d' G 6{tp) }, where o g {A, V, — >} 

4- d{Qxip) = { Qxd I d G 6{ip) }, where and Q G {V, 3}. 

li I < V ^ C and I' < I ^ C, then it does not have to be case that there is 
a scope ambiguity between quantifiers belonging to I and I' . For instance, if I 
and I' belong to different conjuncts, they are not ordered to each other. The 
restriction that I U V has to be defined excludes this. 

Example 2 . To illustrate the purpose of this restriction see the underspecified 
representation for every man who doesn’t have a car rides a bike 



Iq ■ ho 




li : yx{{man{x) A hi) /12) h ■ 3j/(car(y) A ho) I3 : 3 z{bike{z) A /14) 




I5 : have{x,y) Iq : ride{x,z) 



Although I3 and Z4 are not related to each other, it cannot happen that I3 is in 
the scope of I4, because the negation must be a subformula of the antecedent of 
h, whereas lo might have scope over Zi as a whole or might be in the scope of 
the succedent of h. More generally, this is due to the fact that I3 and I4 do not 
have to share a subformula, i.e., I3 U I4 is not defined. 



3 Semantics of Underspecified Formulas 

In the previous section we introduced a formalism that allows for a compact 
semantic representation of ambiguous expressions. Now we want to see what 
the validity conditions of these underspecified representations are, and how they 
interact with the classical logical connectives. 

If an ambiguous sentence S with 6{UR{S)) = {^1,^2} is uttered, and we 
want to check, whether S is valid, we simply have to see whether all of its 
disambiguations are valid. That is, it must be the case that \= di and ^ ^2. If, 
on the other hand, an ambiguous sentence S with 6{UR{S)) = {c?i, ^2} is claimed 
to be false, things are different. Here it is not sufficient that either ^ di or ^ ^2; 
one has to be sure that all disambiguations are false, i.e., ^ di and ^ d2- To 
model this distribution of falsity, van Eijck and Jaspars [EJ96] use the notions 
of a countermodel and a falsification relation =| . Roughly, if only unambiguous 
expressions appear as premises or consequences =| corresponds to but if at 
least one underspecified expression appears as premise or consequence, we have 
to define the (counter-) consequence relation appropriately. 
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Definition 4. We define the underspecified consequence relation and un- 
derspecified falsification relation =|„ for £“ and an arbitrary model M. 

1. M (p iff M \= ip, if p is an unambiguous expression. 

M =|„ p iff M ^ p, if p is an unambiguous expression. 

2. M ^uUR iffM^d, for all d G 6{UR). 

M ^uUR ifJM'^d, for all d G 6{UR). 

3. M \=u ~^p iff M =\u<fi 
M =|„ ^p iff M \=uP 

4. M \=u p /\ fi> iff M \=u p and M \=u 

M =|„ t/3 A t/> iff M or M =|„ V* 

5. M \=u py iff M \=u P or M \=u if 

M =|„ p\J Ip iff M =|„ p and M =|„ ip 

6 . M \=u p -> Ip iff M P or M \=u Ip 
M P ^ Ip iff M \=u p and M =|„ t/) 

7. M \=u Vxp iff M p[a\, for all a G D{M). 

M =|„ yxp iff M =|„ P>[o\, for some a G D{M). 

8. M \=u ^xp iff M \=u p[a], for some a G D{M). 

M =|„ 3xp iff M =|„ p[o], for all a G D{M). 

Example 3. We now give an example demonstrating the convenience of having 
the falsification relation. 

In our setting of ambiguous expressions, some familiar classical tautologies 
are no longer valid. For instance, if A is ambiguous and B unambiguous we do 
not want (AaB) ^ A because the two occurrences of A may be disambiguated 
in different ways. For instance, if 5(rl) = {di,d2}, then |=„ {A A B) ^ A. iff 
\=u {di AB) ^ di, \=u {d\ AB) ^ c? 2 , (=u {d2 AB) d\ and |=„ (^2 A 73) ^ 2 - 

If we were to model falsity by applying the definitions would yield: 

\=u {A A B) ^ A iff rl A 73 or \=u A 

iff rl or ^73 or A 

iff ^ c?i or ^ ^2 or ^73 or c7i and ^ d 2 )- 

The latter is classically valid, and it would therefore make the classical tautology 
valid. On the other hand, if we model falsity by =|„ we manage to avoid this, as 
=|„ distributes over disambiguations of A, whereas ^ does not: 

|=„ (A A 73) — > A iff =|„ A A 73 or \=u A 

iff =|« ^ or H -S or \=^ A 

iff di and ^ ^ 2 ) or =| 73 or (|= di and ^ d2). 

Definition 5. Let pi, ... ,pn, ip be -formulas, possibly containing underspec- 
ified representations. We define relation of underspecified consequence \=u. as 
follows: 

Pi , ... , Pn \^u Ip iff 
for all di G 6 {pi), ... ,dn € S(pn) 
and for all d' G S{ip) it holds that 
di , . . . , dn d . 
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The underlying intuition is that if someone utters a statement of the form if 
S then S', where S and S' are ambiguous sentences with 6{UR{S)) = {di,d 2 }, 
6{UR{S')) = {d'i,d' 2 }, then we do not know exactly what the speaker had in 
mind by uttering this. So to be sure that this was a valid utterance, one has to 
check whether it is valid for every possible combination of disambiguations, i.e., 
whether each of di \= d'l, di \= d' 2 , d 2 ^ di, and ^2 1= is a valid classical 
consequence. 

Unfortunately, this definition of entailment is not a conservative extension 
of classical logic. Even the reflexivity principle A \= A fails. For instance, if we 
take 6{UR{S)) = {di,d 2 }, then UR{S) K UR{S) iff di h di,di h d 2 ,d 2 h di, 
and d 2 \= d 2 , i.e. iff ^ di ^ d 2 . As we will show below, this has some clear 
consequences for our calculus, especially the closure conditions. We refer the 
reader to [Dee96,Jas97] for alternative definitions of the ambiguous entailment 
relation. 



4 An Underspecified Tableanx Calcnlus 

The differentiation between consequence and falsification can be nicely modeled 
in a labeled tableaux calculus, where the nodes in the tableaux tree are of the 
form T : if OT F : ip, meaning that we want to construct a model or countermodel 
for (f, respectively. Tableaux calculi are especially well suited, because the notion 
of a countermodel is implicit in the notion of an open tableaux tree, where one 
constructs a countermodel for a formula. 

But what does it mean, if we not only allow first-order formulas to appear in 
a tableaux proof but as also u- formulas? According to the semantic definitions in 
Section 3, a proof for a u- formula is simply a proof for each of its disambiguations 
(in a classical tableaux calculus TC). In the following two subsections we first 
introduce a calculus TC„ which integrates the mechanism of disambiguation in 
its deduction rules, and thereby allows one to postpone the disambiguation until 
it is really needed. TC„ nicely shows how ambiguity and branching of tableaux 
trees correspond to each other. But TC„ still makes no use of the compact repre- 
sentation of underspecified representations, introduced in Section 2. Therefore, 
we give a modified version of TC„, called TCup, which also allows us to reason 
within an underspecified representation. 

Our tableaux calculi are based on the labeled free- variable tableaux calculus, 
see for instance [Fit96] for a general introduction to tableaux calculi. 



4.1 Reasoning with Total Disambiguations 

The definitions of the logical connectives in section 3 allow us to treat logical 
connectives occurring in u-formulas in the same way as in a tableaux calculus 
for classical logic TC, as long as they do not occur inside of a UR. Here it is 
necessary to disambiguate the UR first, and then apply the rules in the normal 
way. 
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Example 4- If we try to deduce {A A B) A, with 6 (A) = { 61 ,^ 2 } and B 
unambiguous, we have to prove each of h^c (di A B) ^ di, h^c (di A B) ^2, 
hrc (^2 A B) di and h^c (^2 A B) ^ ^2- This leads to the following classical 



labeled tableaux proof trees. 






(a) 

F : {di A B) ^ di 


(b) 

F : {di A B) ^ d2 


(c) 

F : {d2 A B) ^ di 


(d) 

F : (d2 A B) — > d2 


T : diA B 


T : di A B 


T : d2 A B 


T : d2 A B 


F : di 


F : d2 


F : di 


F : d2 


T : di 


T : di 


T : d2 


T : d2 


T : B 


T : B 


T : B 


T : B 



At least structurally, the above proof trees are the same. It does not matter 
whether they contain underspecified representations. This suggests a natural 
strategy: to postpone disambiguation and merge those parts of the trees that 
are similar. 



(!) F : {A A B) A 
{2)T :AaB 
(3) F-. A 
{4)T : A 
{5)T-.B 



(6) F:di (7) F : da 

(8) T : di (9) T : da (10) T : di (11) T : da 



This is a much more compact representation. Again, since A is ambiguous, (3) 
and (4) do not allow one to close the branch, because reflexivity is not a valid 
principle in our ambiguous setting. 

The deduction rules for our underspecihed tableaux calculus for totally dis- 
ambiguated expressions TC„ are given in Table 1. Besides the last two rules 
(T„ :UR) and (F„ :UR), all rules are stated in a standard way and need no 
further explanation. The purpose of the last two rules is to disambiguate UR^s 
and to start a new branch for each of its disambiguations. This implements the 
idea of postponing disambiguation, because disambiguation applies now only to 
C/i?’s and not to any u-formula. 



Theorem 1. Let (f G £“. Then T iff'^rc d, for all d G S{ip). 
Corollary 1. Let tp G . Then hrc„ p iff \=u P- 
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Table 1. Deduction rules of the underspecified tableaux calculus TCn 




^Where Xi, . . . , X„ are the free variables in (p. 
%here G S{UR). 



4.2 Reasoning with Partial Disambiguations 

From a computational point of view (T„ : UR) and (P„ : UR) are not optimal, 
since they cause a lot of branchings of the tableaux tree. Also, total disam- 
biguation is not the appropriate means for underspecified reasoning, because 
the advantage of the compact representation, namely avoiding redundancy, gets 
lost. So TCu is appropriate for dealing with formulas containing UR's but not 
for reasoning inside the UR’’s themselves. 

Sometimes it is not necessary to compute all disambiguations, because there 
exists a strongest (weakest) partial disambiguation. If such a strongest (weakest) 
disambiguation does exist, it suffices to verify (falsify) this one, because it entails 
(is entailed by) all other disambiguations. But what are the circumstances under 
which a strongest (weakest) disambiguation exists? 

Before we can determine a strongest (weakest) reading, we have to resolve 
the relative position of negative contexts and quantifiers. To this end we define 
positive and negative contexts (see also [TS96]). 
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Definition 6. A u-formula ip is a positive context for a subformula f of (p, 
notation: con'^{p,f), iff 

V? ^ I A xK] I x[C] A t/) | V x[C] I xK] V t/) | t/’ ^ xK] I VxxK] | 3xxK] 

where ^ occurs in x o.nd con+(x,C) holds, or p ::= -ixlC] I X[C] ^ where ^ 
occurs in \ o^nd con~{x,C) holds. 

A u-formula p is a negative context for a subformula ^ of p, corr{p,ff), iff 

p::=f;A xK] I xK] A t/) | t/) V x[C] I xK] V t/> | t/) ^ xK] I VxxK] I 3a;x[^], 

where ^ occurs in x O'nd con“(x,C) holds, or p ::= -ixlC] I X[C] ”*■ where ^ 
occurs in x o,nd con+(x,C) holds. 

To apply the tableaux rules to a formula ip it is necessary to know whether ip 
occurs positively in a superformula p — then we have to apply a T-rule — , or 
negatively — then we have to apply an T-rule. In an underspecified representa- 
tion it may happen that a formula occurs positively in one disambiguation and 
negatively in another. We call formulas of this kind indefinite, and in this case 
we cannot apply a tableaux rule. 

Definition 7. Given an underspecified representation {LHF, C, L, H) , a la- 
beled h-formula I : p[h] G LHF is definite if for every I : ip[h'\ G LHF, such 
that con~{ip,h') holds and h Li h' defined, then it holds that I < h' € C or 
I' < h G C. Lt is called indefinite otherwise. 

Why do we consider definite formulas? Intuitively, we need to know which 
quantifier we are actually dealing with when we are trying to find a strongest 
(weakest) reading. Formulas can be made more definite by using the rules for 
partial negation resolution given in Table 2. Roughly, we obtain more definite 
h-formulas within a given underspecified representation by adding further con- 
straints which let indefinite h-formulas become definite by using one of the rules 
of partial negation resolution as specified in Table 2, which are generalizations of 
the method of partial disambiguation in [KR96] . These rules reduce the number 
of indefinite h-formulas occurring in an underspecified representation by creat- 
ing partial disambiguations in which the indefinite h-formula has scope over (or 
is in the scope of one of) the h-formulas inducing the indefiniteness; in Table 2 
this is Im ■ Pm[hn], where cotT { pm,hn) holds and hk U /i„ is defined. Solid lines 
between two labels or holes, k, k' , indicate immediate scope relation, dashed 
lines are the transitive closure of solid lines. For instance, let Pj = yx{p) and 
Pm = ~'hn, we do not know, whether Va; binds x universally or existentially, 
because it can appear above or under the negation. Applying (T„ : tt) yields the 
two possible cases, namely yx{p) occurring above (left branch) or under (right 
branch) the negation. 

To put it differently, suppose that Im ■ Pm[hn] is the only h-formula, which 
causes indefiniteness of Ij : pj in an application of (T„ : tt ), then the rule for 
left partial disambiguation labels Ij : Pj with T„, because now it has scope over 
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Table 2. Tableaux rules for partial negation resolution 



Tu --hi 




h'- 


h- 

If 


T 'h ■ 

±u •'I'l 


T 'h 

±u •'t'i 




. . If. (pi 












1 



Fu '.hi 




(j- 


h- 

If 


Fu -hi 


Fu 'hi 


^3 • 


/ ■ ■ ■ If p>i 




/ If 




/F Im- 




Ij : (pj [hk] 



the negative context, and the rule for right partial disambiguation labels Ij : ipj 
with Fu, because it is in the scope of the negative context. 

Our complete set of deduction rules for underspecified representations is given 
by combining Tables 2 and 3. This set defines our tableaux calculus, TC„p. 

Observe that there are three sets of rules in Table 3. The first set deals 
with ordinary logical connectives only. The second group are so-called interface 
rules; roughly speaking, they control the flow of information between traditional 
tableaux reasoning and disambiguation. Reasoning within an underspecified rep- 
resentation starts at its top-hole and compares all its daughters, i.e., those for- 
mulas that appear immediately in its scope. A similar interface is needed for 
h-formulas. The logical connectives in complex h-formulas are also treated with 
the T/F-rules, but for treating holes we need to know what material goes into 
them. For holes having only one daughter, it is possible to apply the normal 
tableaux rules to this daughter, see (T„ : f) and (T„ if). 

As to the rules in the third group, these are designed to partially construct 
the weakest or strongest readings of u-formulas, respectively. Both (T„ : V) and 
(F„ : 3) presuppose that Ij : 3x(fi[hi] or Ij : yx(p[hi] occurs definite, otherwise we 
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Table 3. Set of deduction and interface rules of TC„p 




twhere are the free variables in ip. 

^Where Q G {V, 3}, Ij is definite, and Wx(p[h] and 3x(p[h] are special (see below). 
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would not be able to tell what the quantificational force of Ij : 3xip or Ij : \/x(p 
is. So, before applying the rules it may be necessary to apply partial negation 
resolution as presented in Table 2 first so as to make Ij : yx(p[hi] definite. There is 
an important restriction on the applicability of the rules (T„ : V) and (T„ : 3): to 
guarantee soundness of the rules, the formulas Va; (p[h] and 3x <j)[h] in Ij should be 
special. Here Vx ip[h] is special if it is of the form \/x {xi — > h) or Va; (xi Aft- — > Xa), 
while 3a; </?[ft] is special if it is of the form 3a; (xi A ft). 

To conclude this section, we briefly turn to soundness and completeness. 
First, now that our tableaux may have different kinds of labelings (there are 
T/F-nodes and T„/F„-nodes), we need to specify what it means for a tableaux 
to close. We say that a branch b closes if there are two nodes T : and F : 

belonging to &, such that ip and ip are atomic formulas of C and p and ip are 
unifiable. In particular, it is not possible to close a tableau with two nodes T : p 
and F : ip containing holes or underspecified representations. 

Next, what do soundness and completeness mean in our ambiguous setting? 
Sound and complete with respect to which semantics or system? We have opted 
to state soundness and completeness with respect to tableaux provability of all 
total disambiguations. 

Theorem 2 (Soundness and Completeness). Let p G Then ^tCu T 
if, and only if, for all d G 6{p) \-rc d 

Proof (Sketch). The soundness part (‘only if’) boils down to a proof that the 
Tu/Fu rules do not introduce any information that would not have been available 
by totally disambiguating first. The restrictions on the rules (T„ : V) and (F„ : 3) 
that were discussed above allow us to establish this. 

Proving completeness (‘if’) is in some way easier: any open branch in a (com- 
pletely developed) tableau for TCup corresponds to a (completely developed) 
open branch in a tableau proof for TC„. See [MR98] for the details. 

5 An Example 

Consider the sentence every boy doesn’t see a movie appearing as a premise in a 
tableau. Because displaying derivations in our calculus is very space-consuming, 
we can only give the beginning of one of its branches, which is given in Fig- 
ure 1. Each box corresponds to a node in a tableau tree. Because in (1) li : 
\/x{boy{x) — > ft-i) occurs indefinite, it is necessary to apply partial negation 
resolution first. The total disambiguation of the left branching would be 

{ix{hoy{x) 3y {movie{y) A ~^see{x, y))), 

Va; (boy{x) — > -^3y {movie{y) A see{x, y))), 

3y (movie{y) A Va; (boy{x) — > -'see(a;, y)))}, 

That is, formulas in which the universal quantifier has scope over the nega- 
tion, disregarding the existential quantifier. Now (T„ : V) is applicable and the 
universal quantifier is given wide scope in (4), corresponding to the readings 
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Fig. 1. Part of a proof in TCup 
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'ix{boy{x) 3y{movie{y) ^see{x,y))) and Vcc (& 02 /(a:) ^ -'By (movie (y) A 
see{x,y))). Because /iq has only one daughter, the normal tableaux rules for 
logical connectives can be applied to it. So we instantiate x with a free variable 
X and apply (T : ^), which causes a branching of the proof tree, where (7) is a 
non-ambiguous literal with which we can try to close a tableaux branch. In (8) 
hi is the top-node to which the underspecified tableaux rules can be applied. 

6 Conclusion 

In this paper we have presented a tableaux calculus for reasoning with ambigu- 
ous quantihcation. We have set up a representation formalism that allows for a 
smooth interleaving of traditional deduction steps with disambiguation steps. 

Our ongoing work focuses on two aspects. First, we are adding rules for coping 
with additional forms of ambiguity to the calculus, such as ambiguity of binary 
connectives. Second, we are in the process of implementing the calculus TCup] 
as part of this work new and interesting theoretical issues arise, such as ‘proof 
optimization’: for reasons of efficiency it pays to postpone disambiguations as 
long as possible, but to be able to apply some of the rules expressions need to 
be dehnite and for this reason early disambiguation may be required. What is 
the best way of reconciling these two demands? 
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Abstract. Starting with a derivation in the refutation calculus CRIP 
of Pinto and Dyckhoff, we give a constructive algebraic method for de- 
termining the values of formulas of intuitionistic propositional logic in a 
counter-model. The values of compound formulas are computed point- 
wise from the values on atoms, in contrast to the non-local determination 
of forcing relations in a Kripke model based on classical reasoning. 



1 Introduction 

Systems of terminating sequent calculi for intuitionistic propositional logic were 
first given in Dyckhoff (1992) and in Hudelmaier (1992). These calculi have the 
property that bottom-up proof search of provable sequents always terminates, a 
feature obtained through a refinement of the left implication rule of the usual 
cut-free sequent calculi for intuitionistic propositional logic (see Troelstra and 
Schwichtenberg 1996 for standard versions of these calculi). 

In Pinto and Dyckhoff (1995), a related refutation calculus CRIP was given, 
for showing underivability of a sequent F ^ A. They proved that for intuitio- 
nistic propositional logic, either the sequent F ^ A is derivable in Dyckhoff’s 
calculus LJT*, or the antisequent F ^ A is derivable in CRIP. For the latter 
case, a method was given for constructing a Kripke counter-model. A related 
method was developed by Stoughton (1996) for producing small Kripke counter- 
models. 

We shall here propose an algebraic method for computing the values of com- 
pound formulas in a counter-model. The method is constructive, and can replace 
the determination of forcing of compound formulas in a Kripke model. In the 
latter, classical reasoning on the meta-level is used; Our method, instead, uses a 
direct pointwise computation from values on atomic formulas. 

In Kripke trees as well as in Heyting algebras, there is no internal notion 
for expressing that, say, an element is strictly above another one in the partial 
order, but this can only be seen by looking “from the outside”, if at all. We 
propose a structure, that of a positive Heyting algebra, that internalizes the 
intuitive situation. This is done by requiring a relation a b, read as “a exceeds 
6”, with properties such that the usual partial order comes out as a negation, 
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a ^ b = ^ b. This is quite analogous to the definition of an equality relation 

as a negation of apartness. Next, we define a formula A to be invalid if there 
exists a valuation r; to a positive Heyting algebra such that u(T) ^ u(A). If not, 
A is defined as valid, and we have for all valuations v that v(T)<ri(^). In 
von Plato (1997), it is shown that this initially perhaps surprising definition of 
intuitionistic validity as a negative notion coincides with the usual definition. 
Further, with positive Heyting algebras we can express and prove soundness 
of rules of refutation, by showing that if there is a counter-valuation for the 
premises, there is a counter-valuation for the conclusion. 

The paper is organized as follows: We introduce the algebraic semantics of 
refutation, and then present the calculus CRIP. In Section 5, we show how to 
construct an algebraic counter-model parallel to the construction of a Kripke 
counter-model. The key step is the operation of combining (positive) Heyting 
algebras that corresponds to the gluing of Kripke models. In Section 6, we show 
how the valuations in positive Heyting algebras are computed, and in Section 7 
we give some examples; These show concretely how the values of compound for- 
mulas are computed from values on atoms, instead of the non-local and classical 
determination of forcing in a Kripke model. 



2 Positive Partial Order, Lattices and Heyting Algebras 

We assume given a set with a primitive relation a ^b, to be read a exceeds b, 
and satisfying the axioms of irreflexivity and splitting: 

PPOl. ~ a ^ o, PP02. a^bDa^cVc^b. 

A set with such a relation is called a positive partial order. Observe that the 
relation is not a partial order, for transitivity does not in general hold, but a 
relation whose negation is a partial order, defined by: 

Definition 1. a ^b = ^b. 

This weak partial order relation is reflexive by PPOl and transitive by contra- 
position of PP02. As there will be no need for a primitive notion of equality, we 
define equality bya = 6= a^&&6^a. Thus, our weak partial order is what is 
sometimes called a quasi-ordering. 

We can further define an apartness relation bya/& = a ^b \J b ^ a. It 
has the usual properties, and its negation coincides with equality defined above. 
Strict partial order can be defined bya<6 = and it is irrefiexive 

and transitive. 

A positive lattice is obtained by adding meet and join operations and the 
following axioms to a positive partial order. 

MTI ~ OA& ^ a, ~ GAb ^ b, JNI ~ a ^ avb, ~ 6 ^ avb, 

MTU c ^ oa 6 Dc^aVc^6, JNU av& ^cDa^cVb^c. 

Positive Heyting algebras result from adding to a positive lattice a third 
construction a— >-6, to be called Heyting arrow, with the axioms 
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PHI ^ {a^b)/\a ^ b, PHU c ^ a— D cao 5^ b. 

The first axiom validates modus ponens, the second, a constructive uniqueness 
principle, identifies implication as the supremum of anything that together with 
a gives b. 

Here we use positive Heyting algebras with a bottom element 0. This is 
obtained by the principle 

PHB ~0 ^ a, 

and a top element 1 is now defined by 1 = 0— >-0. 

Each of the positive structures is constructively stronger than the correspon- 
ding usual structure, because of the presence of splitting and the uniqueness 
axioms. But if we define partial order through the negation of excess, the usual 
axioms for partial order, lattices and Heyting algebras are obtained by taking 
the negative axioms for excess and the contrapositions of the positive ones. For 
instance, the axioms for partial order defined negatively are PPOl and 

and the ones to be added for lattices are MTI, JNI, and 

GAb, 

^ c Sz ^b ^ c D ^avb ^ c, 
and for Heyting algebras PHB, PHI, and 
~ CAO ^ 6 D ~ c 5^ a^b. 

If a formula in which all atoms are negated is proved in the theory of positive 
Heyting algebras, then it can be proved in the theory with the above axioms. This 
conservativity result is proved in Negri (1997) by means of a cut-free sequent 
calculus for the theory of positive Heyting algebras. (The ideas and methods of 
this proof require too much space to be summarized here). 

We say that a map (f) from a positive Heyting algebra Hi to a positive Heyting 
algebra H 2 is a homomorphism of positive Heyting algebras if it reflects the excess 
relation and preserves meet, join, Heyting arrow and bottom, that is, for all 
a,b e Hi we have 

1. 4>{a) ^ (j>{b) implies a f,b, 

2. 4>{aAb) = 4>{a)A(l>{b), 

3. 4>{avb) = (f){a)\/ (j){b) , 

4. 4>{a^b) = 4>{a)^(j){b), 

5. <(-(0i)=02, 

where 0i and O2 are the bottom elements of Hi and H 2 , respectively. 

If a map (j) reflects the excess relation, then by contraposition it is mono- 
tone with respect to the partial order defined through negation of excess. As a 
consequence, the conditions 2-5 can be weakened into the following: 
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2'. ~ (j){a) A(p{b) 5 ^ (f>{aAb), 

3'. ~ 4>{ayb) ^ 4>{a)y(j){b), 

4'. ~ (j){a)^(j){b) ^ 4>{a^b), 

5'. ~<^(0i)^02. 

An isomorphism of positive Heyting algebras is a bijective homomorphism of 
positive Heyting algebras. 

The following lemma will be used in the proof of proposition 1 1 : 

Lemma 2. If Hi and H 2 are positive Heyting algebras and </> : i?i — >■ H 2 and 
Hi ^ H 2 are maps that reflect the excess relation and are inverses of each 
other, then (f> is an isomorphism of positive Heyting algebras. 

Proof. We prove 2', the other conditions being dealt with similarly. 

By bijectivity, we have oa6 = %f(j){aAb), and thus also 'if>4>{a)A'tf(j){b) = ifxf^aAb) . 
By monotonicity of ip we have ~ ijj{4){a)A(j)(b)) ^ 'fi(j)(a)A'ip(j)(b), and therefore 
~ 'tp{(j){a)A(j){h)) ^ -f!(j){aAh). By monotonicity of (f) and the fact that (f) is the 
inverse of f), we obtain ~ 4>{a) A(f>{b) 4>{aAb). 

3 Algebraic Semantics of Refutation 

We shall show that positive Heyting algebras lead to a natural formal semantics 
of refutation, corresponding precisely to the usual algebraic semantics for deri- 
vability. A valuation is, as usually, a homomorphism v : Form — >■ H from the set 
of formulas Form (here of intuitionistic propositional logic) to a positive Heyting 
algebra H, satisfying the equations 

u(A&H) = v{A)av{B), 

v{A y B) = v{A)yv{B), 

v{A Z) B) = v{A)^v{B), 

u(_L) = 0. 

Let r range over finite sets of formulas. We shall write v{P) for the meet of the 
values of formulas in B, with v{B) = 1 in case B is empty. 

Definition 3. A formula A is invalid under B, written B A, if there is a 
valuation v to a positive Heyting algebra such that v{B) ^ u(A). In this case we 
say that v is a counter- valuation to B, A. 

In particular, a formula A is invalid, denoted by A, if there is a valuation v to 
a positive Heyting algebra such that 1 ^ v{A). We can also define consistency of 
B internally, by requiring that there is a valuation v for which v{B) 0. This is 
most naturally written as T (or, equivalently, B J^T). 

Definition 4. B \= A if and only if not B A. 
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We shall say that A is valid under F, or a logical consequence of F. In particular, 
A is valid if not A, and F is inconsistent if not F . 

We emphasize that this order of concepts is essential for reasoning construc- 
tively. If a classical meta-logic is used, validity can equally be taken as the basic 
notion. 

It follows from our definition that F A ii and only if for all valuations v 
to positive Heyting algebras, v{F) < v{A). In particular, we have that a formula 
A is valid if and only if ^(A) = 1 for all valuations. This is just like the stan- 
dard definition of validity for intuitionistic logic except that it refers to positive 
Heyting algebras, and as shown in von Plato (1997), the new notion of validity 
coincides with the old one. To give a brief example of a proof of validity, let us 
show 1= ASzB D A. So assume there is a valuation v such that 1 5 ^ v{ASzB D A). 
Then 1 5 ^ v{A) r\v{B)^v{A) , so by PHU, v{A)/\v{B) ^ u(H) which gives a cont- 
radiction by MTI. So for all valuations v we have ~ 1 ^ v{ASzB D A), that is, 
1 < v{AhB D A). Observe that the proof is constructive: no reductio ad ahsur- 
dum is used, but the negative definition of validity. 

In von Plato (1997), details of the application of positive Heyting algebras 
to intuitionistic propositional logic can be found. For example, it is shown that 
the Lindenbaum algebras of intuitionistic propositional logic have the structure 
of positive Heyting algebras, from which completeness relative to these algebras 
follows. 

4 Refutation Calculi 

For us, a refutation calculus is a system of syntactic rules for showing refutability. 
Refutability is a positive notion, in contrast to the weak negative notion of 
underivability. 

We shall here make use of the calculus CRIP of Pinto and Dyckhoff (1995), 
with the role of falsum in the rules made explicit (Roy Dyckhoff, personal com- 
munication November 1997). In the rules below, an antisequent is an expression 
of form F ^ A where F, A are finite multisets of formulas. The rules of CRIP, 
from Pinto and Dyckhoff (1995, p. 227), are to be read as follows: We start from 
an antisequent F ^ A the bottom, and infer sufficient conditions upwards. 
If we reach axioms in all leaves of the upward-growing tree, the refutation was 
successful. We can then read the tree top-down as a derivation of the initial anti- 
sequent as a theorem of CRIP, and, therefore, as a nontheorem of intuitionistic 
propositional logic. If not, the sequent F ^ A is derivable in the multisuccedent 
calculus LJT* of Dyckhoff (1992). 

In the rules of CRIP below, we use P,Q, R, . . . for atomic formulas and 
A, B,C, . . . for arbitrary formulas. Two of the rules have conditions, and in 
them, an atomic implication is one with an atom as antecedent. 
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CRIP: 



PiD Bi,...,PkD Bk,r ^ A 



axiom 



A,B,P^A P^A,A 

AkB,P^A^’ P^A,A8zB 



P^ A, B 
P ^ A,AkB 



A,P^ A 
AV B,P ^ A 



B,P^ A 
AV B,P ^ A 



P^ A, A, B 
P ^ A, Ay B 



P,B,Py> A 
P,P Z) B,P A 



C D B,Dd B,Py> A 
{Cy D) D B,P A 



C D {D D B),P yy A 
(CkD) D B,Pyy A 



B,Pyy A 

{C D D) D B,P yy A 



( 10 ) 



Ci,DiDBi,riyyDi...Cn,DnZBn,rn^Dn r',EiyyFi...r’,EmyyFrr, 
r' yy EiZ Fi,...,E^D F„,,A 



( 11 ) 



where we use the abbreviations: 

P' = {Cl D Di)d B^..., (C„ D E>„) D P, 
C = P'- (Ci D A) D A. 



Pyy A 

±D B,Pyy A 



(12) 



The conditions in axiom are that P contains only atomic formulas, A contains 
only atomic formulas or _L, P and A are disjoint, and each Pi is atomic and not 
in P. 

The restrictions in rule (11) are: Each formula in P is either atomic or an 
atomic implication, no antecedent of an atomic implication is equal to an atom 
in P, A contains only atoms or T, T and A are disjoint. 

The axiom-rule is a special case of rule (11), with m = n = 0. The conditions 
and rule (12) are amendments to Pinto and Dyckhoff (1995). It is possible to 
avoid adding rule (12) if in rule (11) P is permitted to contain implications with 
T as antecedent. 
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5 Construction of Counter- Valuations 

We show how to construct positive Heyting algebras serving as codomains of 
counter-valuations for the nontheorems of intuitionistic propositional logic. We 
use the calculus CRIP and the construction of Kripke counter-models from deri- 
vations of antisequents in CRIP, to obtain the construction of positive Heyting 
algebras and counter- valuations. 

We start by recalling the construction of a Heyting algebra out of a Kripke 
model (for more details, see Fitting 1969). Let K be a Kripke model, with a 
reflexive and transitive relation < and a forcing relation Ih between elements 
w of K and formulas, with the usual properties.^ The algebraic model H{K) 
corresponding to K is the collection of the upward closed subsets^ of K, with 
ordering given by subset inclusion. The meet and join operations are intersection 
and union, respectively. The top element 1 is the whole set K, the bottom is the 
empty set. The K-valuation v{P) of an atomic formula P is the set of nodes of 
the Kripke model forcing P, 

Definition 5. v{P) = {w g K | w Ih P}. 

We have (Fitting 1969, p. 24): 

Proposition 6. H{K) is a Heyting algebra, with v{A) = 1 iff K \\- A. 

For propositional logic, finite Kripke models suffice for the construction of coun- 
ter-models. These are discrete structures, with a decidable partial order. 

Whereas finite sets have a decidable membership, subfinite sets, i.e., subsets 
of a finite set, do not necessarily have a decidable membership. We therefore 
define the Heyting algebra associated to a finite Kripke tree to consist of finite 
subsets of the Kripke tree. Then the associated Heyting algebra has a decidable 
order, and is indeed a positive Heyting algebra with the excess relation defined 

by 

U =df (3u G U){u^ V) . 

We therefore have 

Proposition 7. If K is a finite Kripke tree, H{K) is a positive Heyting algebra. 

The following representation of elements of H{K) will be useful: 

Lemma 8. If K is a finite Kripke tree, then every element of H{K) can be 
uniquely represented as 

U ta 

a e F 

where '\a={b^K\a<b'\,F is a finite subset of K, and any two distinct 
elements of F are incomparable. 

^ By well known results (see Troelstra and van Dalen 1988, ch. 2.6) we can consider 
Kripke models as represented by trees, and call a Kripke tree the lattice structure 
of a Kripke model. 

^ Recall that a subset 1/ of S is upward closed if, whenever x e S and a < x for some 
a e U, then x € U. 




254 S. Negri and J. von Plato 



Proof. Immediate. 

In the construction of Kripke models, an essential step is the gluing of a finite 
number of Kripke models Ki, . . . , KT„. The resulting Kripke model has an initial 
world wq with immediate successors given by the initial worlds of the n given 
Kripke models. The forcing relation can be modified by the forcing of certain 
atoms in the new root wq. 

We shall denote by g{Ki, . . . ,Kn) the Kripke tree obtained by gluing of 
Ki, . . . , Kn- Our next task is to find the operation on (positive) Heyting algebras 
corresponding to gluing, that is, the operation o solving up to positive Heyting 
algebra isomorphism the equation 

H{g{Ki, ...,K„)) = o(i?(Ki), . . . , ff(K„)). 

For the sake of simplicity, we consider the case of n = 2 only, but what follows 
generalizes to any finite number in an obvious way. 

Before giving the general construction, we discuss two examples: 

Example 9. Let Ki be the singleton-set Kripke tree. Then H{Ki) is the (po- 
sitive) Heyting algebra consisting of two elements 

{«} 



0 

Observe that when one draws diagrams of this kind, one neatly places the points 
apart, even though in the theories based on partial order there is no internal 
notion to express the visual effect. 

Example 10. 

{b, c, d} 



c d {c,d} 




0 



Observe that K2 is itself the gluing of two Kripke trees of the first kind, so 
H{K2) = H{Ki) o H{Ki) where o is the operation to be determined. 

If we glue together K\ and K2 we obtain 
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and the corresponding positive Heyting algebra is 



(with explicit labels omitted) 




The general construction behind these examples is as follows: Given two 
positive Heyting algebras Hi and H2, with respective top elements li and I2, 
let Hi X H2 be their Cartesian product with excess relation defined by 

(01,02) ^ (&1,&2) = Oi ^ 61 V tt2 ^ 62 

and component-wise meet, join and Heyting arrow, and let Hi x H2 be the 
lattice obtained by adding an “extra-top” element 1 and extending the excess 
relation by posing ~ (a, &) ^ 1 for a g Hi, 6 g i?2 and 1 ^ (li, I2). It is clear 
that in the examples we have 

H(K2) = H(g(Ki,Ki)) 9 ^ H(KiJ 7 h(Ki), 

H(g(Ki,K2)) ^ H(Kif^(K2). 

Indeed we have, in full generality, that the extra-topped Cartesian product is the 
operation on Heyting algebras corresponding to the gluing of Kripke models: 

Proposition 11. Let Ki and K2 be finite Kripke trees. Then 



H{g{Ki,K2)) = H{Ki) X H{K2). 
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Proof. By lemma 8, an element in K^)) is either 1 = t wq, where wq is 

the root of g{Ki,K 2 ), or 



U ta U \J fb 

a e Fi b e F2 

where Fi and F 2 are finite subsets of Ki and K 2 - The maps 

: H{g{Ki,K^)) ^ 

t Wo 1 

Ua G Fi t a U Ub G F2 t ^ (Ua G Fi t Ub G Fa t 

^ H{g{Ki,Ki)) 

1 t Wq 

(Ua G Fi t O, Ub G Fa t Ua G Fi t a bl IJj, g t ^ 

reflect the excess relation and are inverses of each other, therefore by lemma 2 
they give an isomorphism between H{g{Ki, K 2 )) and H{Ki) x H{K 2 ). 

We adopt from Pinto and Dyckhoff (1995) the following: 

Definition 12. A Kripke tree is a strong counter-model to a sequent F ^ A if 
in its initial world all the formulas in F are forced and none of the formulas in 
A are forced. 

Our corresponding algebraic notion is: 

Definition 13. A positive Heyting algebra FI with a valuation v is an algebraic 
counter-model to a sequent F ^ A if for all A in F, we have v[A) = 1 and 

Lemma 14. If K is a strong counter-model to F ^ A, then H{K), with the 
K -valuation as defined in 5, is an algebraic counter-model to F A. 

As an aside, we recall from Pinto and Dyckhoff (1995) that a Kripke tree is a 
counter-model to a sequent F ^ Z\ if it has a node in which all formulas in F 
are forced and none of the formulas in A are forced. If AT is a counter-model to 
F ^ A then the positive Heyting algebra H{K) with the AT-valuation has the 
property that 

A ^(^) ^ V ^(^) 

A G F B G A 

and we call such a positive Heyting algebra with a valuation satisfying the above 
property a weak algebraic counter-model. The relation between algebraic counter- 
models and weak algebraic counter-models parallels the relation between strong 
counter-models and counter-models, that is, every algebraic counter-model is a 
weak algebraic counter-model but not conversely. 
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Theorem 15. If F ^ A is derivable in CRIP, then there is an algebraic 
counter-model to the sequent F ^ A. 

Proof. Consider the derivation in CRIP of the antisequent F ^ A. For each 
step of the construction of the Kripke counter-model as given in proposition 1 
of Pinto and Dyckhoff (1995), there is a corresponding step of construction of a 
positive Heyting algebra and an algebraic counter-valuation, given as follows: 

-To the Kripke tree consisting of a single world there corresponds the posi- 
tive Heyting algebra consisting of two elements. All atoms that are forced are 
evaluated into the top element, the others into the bottom. 

-To the gluing of n > 1 Kripke trees Ki there corresponds the extra-topped 
Cartesian product of Heyting algebras. The atoms forced in the new root are 
evaluated into the extra top, the other atoms P into (vi{P), . . . ,Vn{P)) where 
Vi{P) is the KT-valuation of H{Ki). In the special case of an application of rule 
(11) with just one premise, and in all other rules, no gluing of Kripke models is 
performed, and correspondingly, no extra-topped Cartesian product is taken: an 
algebraic counter-model for the premise is also a counter-model for the conclu- 
sion. 

By proposition 11, the Heyting algebra H resulting from this construction is 
isomorphic to the Heyting algebra H{K) associated to the resulting Kripke tree. 
Moreover, by lemma 14, H with the K-valuation oiH{K) is an algebraic counter- 
model to F Z\. 

6 Computation of Counter- Valuations 

The proof of theorem 15 prescribes how to construct an algebraic counter-model 
starting from a successful CRIP refutation. The positive Heyting algebra that 
serves as codomain of the valuation is defined inductively: The starting points 
are the two-element Heyting algebras, serving as counter-models for the axioms, 
and given n > 1 positive Heyting algebras that serve as counter-models for the 
n premises of rule 11, the counter-model for the conclusion is obtained by taking 
their extra-topped Cartesian product; The construction also gives the valuation 
for atomic formulas. The evaluation of compound formulas can then be done in 
a component-wise fashion, but before that a remark on the Cartesian product 
of positive Heyting algebras is in order: 

If iJi, . . . , Hn are positive Heyting algebras, then the set given by their Car- 
tesian product with excess relation given by 

(dl, . . . , dn) f (^1, • • • , ^n) = ^ V ... V Qji bji 

and meet, join and Heyting arrow defined component-wise, is a positive Heyting 
algebra. 

Let H be the extra-topped Cartesian product of the positive Heyting algebras 
Hi, . . . ,Hn and let u be a valuation on atoms. Then for all formulas A, v{A) 
is either 1 or (di, . . . , a„), where at e Hi. For the sake of simplicity we can also 
denote by a vector (fi, ... ,t„) the extra-top and extend the excess relation and 
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the meet and join operations of Hi by stating that ti ^ Oj for all Oi g Hi and by 
posing tiAOi = tti and tiVUi = ti. Then valuations can be computed component- 
wise, with some care for implication. So assume that v{B) = (bi, . . . ,b„) and 
v{C) = (ci, . . . , c„) have been computed. We then have: 

v{BhC) = v{B)f\v{C) = (61AC1, . . . , bnACn), 

v{B V C) = v{B)vv{C) = (61VC1, . . . , &„vc„). 

For v{B D C) we distinguish three cases: 

If ^ v{C), then u(a 1 ) = (ti, . . . , t„), 

if v{B) ^ v{C) and v{B) = {ti, . . . , then v{A) = (ci, . . . c„), 

if v{B) ^ v{C) and i v{B) then v{A) = (6i->ci, . . . 6„-s-c„). 

The evaluation is algorithmic and no use of reasoning on the meta-level is needed, 
whereas in Kripke models the computation of the values of compound formulas 
uses classical reasoning on the meta-level. 



7 Some Examples of Algebraic Counter-Models 



Example 16 . {P D Q) V {Q D P) , with P and Q distinct atoms: 

The antisequent ^ {P D Q) V {Q D P) has the following CRIP derivation: 






Q^P 



P D Q,Q D P 
^ (P D Q) V (Q D P) 



( 11 ) 

( 6 ) 



The Kripke counter-model is obtained by gluing the single-world Kripke models 
Ki and K2, with Ki Ih P and K2 lb Q. The algebraic counter-model is obtai- 
ned by taking the extra-topped Cartesian product of the corresponding positive 
Heyting algebras of two elements 



l = i'i(Q) l = ii2(P) 

0 = Ui(P) 0 = V2{Q) 



that is 
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1 



(0, 



The valuation of the atoms is 

v{Q) = {vi{Q),V 2 {Q)) = (1, 0), v{P) = (vi{P),V 2 {P)) = (0, 1) 
and now we can compute 

t;(PDQ) = (l,0), t;(QDP) = (0,l), t;((P D Q) V (g D P)) = (1, 1), 

so that 

1 ^ v{{p D g) V (g D p)). 




Example 17. {P D QV R) D {P D Q)V {P D R), with P, g, R distinct atoms: 
The CRIP derivation is 



R, P ^ Q 
Q V R, P ^ Q 



(5) 



P^Q\JR,P^Q 



(7) 



Q, P ^ R 
Q V R, P ^ R 



(4) 



PZ)Q\/R,P=^R 



PdQVR^PdQ,PdR 



(7) 

( 11 ) 



PdQVR^{PdQ)V{Pd R) 

^ (P D g V P) D (P D g) V (P D P) 



(6) 



( 11 ) 



We get the Kripke counter- model by gluing the two single- world Kripke models, 
Ki forcing P and P, and K 2 forcing Q and P. Observe that the lower instance of 
rule (11) does not require any gluing. Thus, the corresponding algebraic model 
is as in example 16, with 

t;(P) = (l,l) u(g) = (0,l), u(P) = (l,0). 

Therefore 

t;(gvP) = (l,l), u(PDg) = (0,1), t;(PDP) = (l,0), 
thus 

t>(P D g V P) = 1 ^ v{{P D g) V (P D P)) = (1, 1). 
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Example 18. (~P D QV R) D (~P D Q)V(~P D R), F, Q, i? distinct atoms: 
The CRIP derivation is 



P ^ _L 



-LdQVF, P^_L 



(12) 



R,^P^Q “ 

^ (5) 

QV R,r^P ^ Q 

'PdQ\/R,^P^Q 



(10) 



Q,^ P ^ R 
QV R,^P ^ R 



(4) 

( 11 ) 



^PdQ\/R^^PdQ,^PdR 
~FdQVF^(~PdQ)V(~PdF) 

^ P D Q V F) D (~ P D Q) V (~ P D F) 



(6) 



( 11 ) 



We construct the Kripke counter-model to the end-antisequent by gluing the 
three Kripke trees forcing, respectively, P, F, and Q. The corresponding positive 
Heyting algebra is the extra-topped cube 




where v{P) = (1,0,0), v{R) = (0,1,0), v{Q) = (0,0,1). We can now illust- 
rate the ease by which the values of compound formulas are determined in the 
algebraic semantics, by simple computation from values of atomic formulas: 

u(-P) = (l,0,0)^(0,0,0) = (0,1,1) 

u(QVF) = (0,1,1) 

u(~P D Q V F) = (0, 1, 1)^(0, 1, 1) = 1 

u(-P dQ) = (0, 1, 1)^(0, 0, 1) = (1, 0, 1) 

u(~PdF) = (0,1, 1)^(0, 1,0) = (1,1,0) 

u((-PD Q) V (-PDF)) = (l,0,l)v(l,l,0) = (1,1,1) 

u((-P D Q\/ R) D {^P D Q)V {^P D R)) = 1^(1, 1, 1) = (1, 1, 1). 

8 Concluding Remarks 

We have given an algebraic semantics of refutation and replaced the determina- 
tion of forcing of formulas in a Kripke model by a straightforward component- 
wise computation. Kripke models have been used only for showing the correctness 
of the construction, that parallels the construction of a Kripke counter-model out 
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of a CRIP derivation. In a further work we plan to study the direct construction 
of counter- valuations avoiding Kripke models altogether. 

Positive Heyting algebras and the definition of validity as a negative notion 
have been here introduced for systematic reasons, even if they could have been 
avoided in the case of intuitionistic propositional logic because of decidability. 
We hope to extend the algebraic semantics and counter-valuation construction 
to intuitionistic predicate logic and expect that the use of positive Heyting alge- 
bras will result in a computationally stronger semantics as compared to Kripke 
models. 

Implementation of our algorithm of counter-model construction should pre- 
sent no particular difficulties. 

We are indebted to Roy Dyckhoff for his useful comments and advice. Thanks 
are due to Paul Taylor for his package for drawing diagrams in HTgX. 
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Abstract. We present a framework for eliminating redundancies during 
the reconstruction of sequent proofs from matrix proofs. We show that 
search-free proof reconstruction requires knowledge from the proof search 
process. We relate different levels of proof knowledge to reconstruction 
knowledge and analyze which redundancies can be deleted by using such 
knowledge. Our framework is uniformly applicable to classical logic and 
all non-classical logics which have a matrix characterization of validity 
and enables us to build adequate conversion procedures for each logic. 



1 Introduction 

Automated theorem proving in non-classical logics has become important in 
many branches of Artificial Intelligence and Computer Science. As a result, the 
resolution principle [14] and the connection method [1,2], which both have led to 
efficient theorem provers for classical logic [22, 9, 3], have been extended to char- 
acterizations of logical validity in modal logics, intuitionistic logic, and fragments 
of linear logic [20, 10, 21, 19, 7]. These characterizations are the foundation of ef- 
ficient and uniform proof search procedures for all these logics [12, 13, 7] which 
are used as inference engines in automatic program development systems [8, 4] 
and other problem-oriented applications [5] . 

In many applications of theorem proving it is not sufficient to show that a 
theorem is valid. The need for further processing (e.g. generating programs from 
proofs) or a deeper understanding of the proof requires that proof details can be 
presented in a comprehensible form. On the other hand, the efficiency of auto- 
mated proof methods strongly depends on a compact and machine-oriented char- 
acterization of logical validity. This makes it necessary to reconstruct a sequent 
proof, a natural deduction proof, or even a proof in a semi-natural mathematical 
language from an automatically generated machine proof. 

As a complement to existing matrix-based proof search methods we have de- 
veloped a uniform procedure for transforming classical and non-classical matrix 
proofs back into sequent style systems [16,17,7]. This procedure creates a se- 
quent proof for a given formula by traversing its formula tree in an order which 
respects a reduction ordering induced by the matrix proof. It selects an appro- 
priate sequent rule for each visited node by consulting tables which represent 
the peculiarities of the different logics. At nodes which cause the sequent proof 
to branch the reduction ordering has to be divided appropriately and certain 
redundancies need to be eliminated in order to ensure completeness. 

H. de Swart (Ed.): TABLEAUX’98, LNAI 1397, pp. 262-276, 1998. 
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Redundancy elimination is the most crucial aspect of proof reconstruction if 
matrix proofs shall be converted into sequent proofs without additional search. 
We will show that the complexity of eliminating redundancy strongly depends 
on the amount of proof knowledge made available by the proof search method. 
If the procedure has to rely only on the matrix characterization then additional 
search becomes necessary, but redundancies can be eliminated in polynomial 
time in the size of the matrix proof if the history of the proof search is known. 

In this paper we shall present a detailed analysis of possible redundancies in a 
reduction ordering and of the proof reconstruction knowledge which is necessary 
to delete them. We shall study different levels of proof knowledge and their effects 
on the proof reconstruction process. We will introduce prefixed connections as 
a logic-independent concept which allows us to extract conditions for extending 
the elimination of redundancies to a maximal level. Our result can be used as 
a general framework for building efficient and complete proof reconstruction 
procedures for non-classical logics if the proof search method is known. 

In Section 2 we give a brief summary of matrix characterizations and proof 
reconstruction in non-classical logics. Section 3 classifies redundancies in matrix 
proofs and the requirements for eliminating them. In Section 4 we discuss proof 
knowledge available from the extension procedure [2, 12] and the resulting redun- 
dancy elimination methods. In Section 5 we investigate the complexity, adequate 
completeness, and correctness of the refined proof reconstruction method. 

2 Preliminaries 

Matrix characterizations of logical validity were introduced for classical logic [1, 
2] and later extended to intuitionistic and modal logics [21] and fragments of 
linear logic [7] . On this basis an efficient proof search procedure has been elabo- 
rated [12, 7] which captures all these logics in a uniform way. A uniform procedure 
for converting matrix proofs into sequent proofs has been developed in [17, 7]. 

2.1 Matrix Calculi for Non-classical Logics 

In matrix proofs a formula F is represented by its formula tree <C whose nodes 
are called positions. Each position a; of ^ refers to a unique subformula of F. 
The root re of ^ represents F itself while its leaves (or atomic positions) refer to 
the atoms of F. Because of the corresponding subformula relation ^ is called the 
tree ordering of F. Each position x is associated with a polarity pol{x)e{0, 1}, a 
principal type Ptype (x) , and its operator op {x) . The polarity determines whether 
Fx will appear in the succedent of a sequent proof {pol (a;)=0) or in its antecedent. 
pPoi{x) ^]^g formula at position x. The principal type Ptype (x) 

is the formula type of F^ according to the tableaux classification in [21, 6]. Prin- 
cipal types are a compact and logic-independent way to express proof-relevant 
properties of a formula [17]. In the following we will only consider the types a, 
(3, and atom. Two atomic positions x and y are a-related (x y) or (3-related 
{x y) if their greatest common predecessor in <C is has principal type a (or 
(3) . A non-normal form matrix of E is a two-dimensional representation of the 
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atomic positions of <C such that /3-related positions are placed on top of each 
other while a-related are written side by side. A path p through is a maximal 
subset of atomic positions which are pairwisely not /3-related. 

A connection is a subset {ci, C 2 } of a path p such that the atoms Fc^ and Fc^ 
have the same predicate symbol but different polarities. It is complementary if 
fci and Fc2 can be unified by some combined substitution a — (aQ,aL)- uq is 
the usual quantifier substitution while ctl, used to analyze non-permutabilities 
of sequent rules in a non-classical logic C, unifies the prefixes of the connected 
atoms. The prefix of an atom F^ is a string consisting of special positions in <C 
between the root w and x. A set of connections C spans a formula F (or is a 
spanning mating) if each path contains a complementary connection ceC. The 
substitution a induces a relation C on the positions of ^ such that {x, a) e C 
iff cr{x) — a and a is not a variable, a is admissible if the reduction ordering 
< = (<C U is irreflexive and some additional global conditions hold. Finally, 
multiple uses of subformulae in a matrix proof are represented by a combined 
multiplicity p. — {pq,pl) of the positions x in Using these concepts logical 
validity can be uniformly characterized as follows (see [21,7] for details). 

Theorem 1. A formula F is valid wrt. a logic C iff there exists a multiplicity 
p, an admissible substitution a, and a set of connections C which spans F. 

Proof search procedures based on the matrix characterization of logical valid- 
ity are generalizations of the extension method [2] to non-normal form matrices 
and non-classical logics [12, 7]. They consist of a general path-checking algorithm 
and a uniform and efficient algorithm for prefix unification [11]. 

In the following we shall use the reduction ordering oc*, a slight technical 
modification of <1 (see [17]) as starting point for proof reconstruction and con- 
sider only those aspects of a which are encoded in oc*. The following example 
illustrates the matrix characterization of logical validity in intuitionistic logic. 

Example 1. Consider F\ = -lA V V -tA and its intuitionistic matrix-proof, 

represented by the rednction ordering oc* on the left hand side of Figure 1 . The name 
cxiyfii, or Oi for a position x encodes its principal type while its main operator op(x) 
and the polarity pol{x) are written beside it. There are two paths through Fi, Pr = 
{oi, 03, 04} and p2 = {02, 03, 04}. The two connections {oi, 04} and {02, 03} (depicted 
at atomic positions) span Fi wrt. some intuitionistic admissible substitution a which 
indnces the relation C = {(06,02), (05,03)} (indicated by curved arrows). 



oc* oc{ oc| 

Tq,i ^ 




Fig. 1. Reduction ordering oc* for -lA V -<B => -iB V -<A 
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2.2 Proof Reconstruction in Non-classical Logics 

An algorithm for converting a matrix proof of a formula F into a sequent proof 
essentially has to traverse the reduction ordering oc* while constructing a sequent 
rule at each visited position x. We focus on conversion into multiple conclusion 
sequent calculi (cf. [6]) where a sequent _T h Z\ is described by associated sets of 
signed formulae: Sa — {F^ \ F^ eA}, Sr — {F^ \ F^eF}, and S — Sa'S Sr- 
The main operator op{x) and polarity pol{x) uniquely describe the sequent rule 
necessary to reduce the sequent formula & S. The subformulae resulting 

from applying this rule to Fx °^ are determined by the set succ(x) of immediate 
successors of a; in <C. The induced relation C encodes the non-permutabilities of 
sequent rules in a logic £ and “blocks” certain positions x: rule construction for 
X will be delayed until all its predecessors wrt. C have been visited hrst. 

At a /3-position x a sequent proof branches into two independent subproofs. 
Accordingly, the reduction ordering oc* must be split into suborderings oc{,oc5 
and conversion continues separately on each of them. The operation split (ex*, x), 
developed in [17] and illustrated in Figure 1, first divides oc* and then eliminates 
components of each oc* which are no longer relevant for the corresponding se- 
quent subproof. Proof reconstruction terminates when all branches of the sequent 
proof have been closed by converting a connection from the matrix proof. Because 
of the uniformity of the conversion procedure the technical details are subtle. 
In the following we give a rather informal account of traversal and splitting and 
refer to [17, 18, 7] for a complete and algorithmic presentation. 



Traversal of ex*. Each position in ^ has to be visited and marked as solved 
if it is not blocked. A position x is open (i.e. elegible to be visited next) if 
its immediate predecessor pred(x) is already solved but x is not. After x has 
been solved the set Po of all open positions is updated to — {Po \ {x}) U 
succ{x). If X is a /3-position, then split{oc*, x) (see below) divides oc* into cx{, c< 2 ) 
recomputes the corresponding sets P ^ , P^ and each oc* is traversed recursively. 
If two solved positions form a complementary connection then the conversion of 
(X* terminates. Po is initialized as Po = {w} where w is the root of oc* . 



Example 2. Consider the formula F\ from Example 1 and its matrix proof represented 
by the reduction ordering in Figure 1 . We begin by initializing Po = {ai}. We solve qi 
and construct the sequent rule ^ r obtained from the main operator => and polarity 0 . 
Updating Po yields Po = {Pi, 04}. Solving 04 next leads to applying Vr to At / 3 i we 
create Vl and the sequent proof branches: split (oc*, / 3 i) divides oc* into the suborderings 
oc* and 0C2 depicted in Figure 1 (where a T marks the already solved positions). 
Recomputing the sets of open positions results in P^ = {02, oe} and P^ = {03, Q5}. 

We continue by traversing oci. The position 02 is blocked by ae since the corre- 
sponding sequent rule has to be applied before which belongs to 02. We must solve 
ae to unblock ai- The atomic position 04 is next but no sequent rule will be generated 



since its connection partner ai has not been 
solved yet. We solve 02 and complete the 
subproof by applying the axiom rule based 
on the connection {01,04}. Converting the 
subordering 0C2 works as before. The result- 
ing sequent proof is shown to the right. 
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Splitting at /3-positions. The main modification of the reduction ordering 
during proof reconstruction occurs when traversal has reached a /3-position x 
and oc* has to be divided into oc^ and c<2- If {x\,X2} are the successors of x 
then move to the left subproof of the corresponding sequent proof 

and to the right one. Since the set of open positions Pq encodes the 

actual sequent, only one of the two successors of x will be added to each i.e. 
PI = {Po \ {x}) U {xi}. Formally splitting is based on the following definitions. 

Definition 1. Let x be a position of oc* and <C^ the subtree ordering with root 
X and position set pos{x), including the pair {pred{x),x)& <C^. The restriction 
o/oc* involving positions from pos{x) is defined as := <C^ U where C^:= 
{{xi,X2)e c I xiepos{x)'T X2epos{x)}. If C is the connection set of gc* then 

■- {{ci,C2} eC I Cl Gpos(a;)}. 

Definition 2. Let x be of type (3 and succ{x)={x\,X2} ■ The P-split of oc* at x 
is defined by P - split {oc* ,x) := [cx*,cx2], where (Xj=(X* \ and c<2=cx* \ . 

For the subrelations and connections we have Q := IZ \ <Ci := <C \ 
and Ci := C\ where i^j e {1, 2}. 

After a P-split certain redundancies need to be deleted from each oc*. This 
improves the efhcieny of the reconstruction process and is necessary for ensuring 
its completeness when dealing with non-classical logics. We will discuss this now. 

3 Classifying Redundancy in Matrix Proofs 

Usually, the order in which a reduction ordering oc* can be traversed while 
respecting the ‘blocks’ induced by Z is not unique. In Example 2 we could have 
visited 01,04, and then 05 instead of Pi. This, however, would not lead to a 
successful sequent proof since applying the -r rule corresponding to 05 causes the 
deletion of the formula ~^A which is relevant for completing the proof. Thus the 
reduction ordering ex* is not complete wrt. rule non-permutabilities of the (non- 
standard) sequent calculus. In [17] we have introduced the concept of wait-labels 
which are dynamically assigned to special positions of cx* during conversion and 
make cx* complete wrt. all non-classical logics under consideration. 

In intuitionistic logic an open position xePo is blocked by such a wait-lahel 
(denoted by wait[x] = T) iff applying the corresponding sequent rule to F^ 
would delete proof-relevant formulae. In Example 2 ica/t-labels must be assigned 
to «5 and 06 after solving 01,04 since reducing would delete F^^ and vice 
versa. Hence Pi must be solved next by applying p - split {oc* , Pi). But the re- 
sulting suborderings oc* contain redundancies which would create a deadlock. In 
cx{=cx* \P^, for instance, the open positions are Pf = {02, 05, Oe} where 05, 05 
are blocked by wait-labels and 02 is blocked because of (05, 02) e z. F^^ = -^B 
is not relevant for the subproof represented by c<i and can safely be deleted by 
applying -ir to F^^ = -iA. wait[ae\ = T should not longer hold as well. 

Since wait-labels shall prevent only the deletion of proof-relevant sequent 
formulae, we have to remove outdated wozt-labels in order to guarantee com- 
pleteness. We will solve this problem by redundancy deletion after P-splits, the 
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identification of proof-relevant positions and elimination of redundant ones from 
the oc*. This procedure strongly depends on the amount of proof knowledge made 
available by the proof search process, which leads to reconstruction knowledge 
about relevant and redundant positions. 



3.1 Literal Purity 

The minimal proof knowledge available after proof search is the set of connections 
C and the substitution a which induces the relation C. It leads to a generalized 
purity reduction (cf. [2]): an atomic position x of oc* is called pure if it is not 
connected. Complementarity of paths will not depend on x or any literal in the 
same “clause” and the whole tree containing these literals is redundant. 

Definition 3. A position k with \succ{k)\ > 2 is a /3-node if Ptype{k) = j3 
and otherwise a 0-node. The greatest predecessor k of a position x in ^ with 
\succ{k)\ > 2 is called the associated node of x. We write k x if k is a 
(3-node and k x otherwise. 

If X is pure after a (3-split and k x then the whole subtree with root k can 
be eliminated from ex* and the predecessor position of k inherits the purity prop- 
erty. If k X then only the branch containing x can be deleted whereas k and 
all other branches have to remain in cx* (usually k is no longer a 0-node after- 
wards). Combining these two reductions yields the function {(3, 0) -purity which 
will be applied to each subrelation cx* after (3-split . 

Definition 4. Let Pr = {b \ succ{b)=l(l A VceC.b^c} be the set of pure leaf 
positions in cx*. Let sucCj{x) := {succj{x)}UsucC^{succj{x)) where succ^{x) 
is the set of all successors of x in <Sl and succj(x) is a selection function with 
succj{x) = Xj if succ{x)={xi, Xn} ■ The {(3,0)-purity reduction is defined as: 

function [(3, 0) -purity {oT ,C) '■ reduction-ordering 

while do 

select bePr', Pr := fV \ {&}; let fc be the associated node of b 

if k b then oc*:=oc* \t^; ’/, (3-purity 

C :=C\C^ 

Pr '■= {b I swcc(&)=0 A VeeC. &^c} 

else compute s where besucct{k)-, oc*;=oc* \ ’/. 0-purity 

To ensure completeness (/3, 0) -purity must be integrated into (3-split as follows. 

Definition 5. The split-operation at a (3-node x is defined by split {oP,x) = 
[cxj,,cx2/], where cx*,= {(3,0)-purity{GC* ,Ci) and [cxjjcxj] = (3 -split { gc* , x) . 

Consider again Example 2. After applying (3-split {gc* , Pi) the position as (04) 
becomes pure in cx{ (cxj). Since 04 03 (04 <€.f 04) applying 0 -purity 

deletes in cx^ in CX2). Thus all wa/t-labels can be removed and traversal 
can proceed with each of the resulting suborderings oc*, (see Figure 1). 
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Fig. 2. Reduction orderings for V R) A B) A {~^A V ~^D) => ~^{A V B) V ~^D 

3.2 The Decomposition Problem in oc* 

The {j3,0) -purity reduction is suitable for dealing with first level redundancy 
where proof relevance is determined by being connected. Pure positions, how- 
ever, are not the only redundancies that may occur during proof reconstruction. 
After fd-split and {P,0) -purity one of the resulting suborderings may consist 
of several “isolated” subrelations which do not have connections between each 
other. In this case, only one of these subrelations is sufRcient for making all paths 
complementary. Nevertheless the purity principle may not apply if all leaves in 
the othere subrelations are connected and hence assumed to be proof-relevant. 

Example 3. Consider F 2 = ^((A V B) A B) A {^A V ^D) => ^{A V B) V and the 
reduction ordering oc* resulting from its intuitionistic matrix proof in Figure 2 (left 
hand side). For proof reconstruction we solve the positions 01,02,07 and split at fh 
which corresponds in the following proof fragment: 

-.((Ay B) AB),^A\- B),-,D -^((Ay B) A B),^D h -.(Ay B),^D 

vz 

^((A V B) A S), -^Ay ^Dh -^(A V B), 

^ r, A V r 

h ^((A V B) A B) A (^A V ~^D) =s ~^(A y B)y 

In the subrelation 0C2 resulting from splitting (Figure 2 , right hand side), which corre- 
sponds to the right sequent after Vl, the set of open positions is = {03, oe, os, 09}. 
The positions 03 and oe are blocked by C whereas os and 09 are blocked by laait-labels 
since reducing = ^(A V B)° would delete B°g = -.D^ and vice versa. Furthermore, 
all atomic positions are connected and {fd, 0 ) -purity is not applicable. Thus proof 
reconstruction would run into a deadlock. But 0C2 has been decomposed into two “iso- 
lated” subrelations and and the wait-labels could be removed if 

we could determine which subrelation suffices for constructing the proof. 

Deadlocks of above kind occur in intuitionistic logic and in all modal logics 
considered in [17] where additional waft-labels are reqnired for proof reconstruc- 
tion. In linear logic, waft-labels do not cause deadlocks and proof reconstruction 
has not to deal with this kind of redundancy [7]. Finding the appropriate isolated 
subrelation is the decomposition problem in oc* which we will formalize now. 

Definition 6. Let Pq be the set of open positions, Pa the set of atomic positions 
which are solved but connected, Pu = Po Id Pa = {xi,..,Xn} the set 0/ usable 
positions, and T„={t®b.., t“^"}. The connection relation Rc^Ta x T„ is defined 
by Rc — { {t^',t^^) I l<f, j<n AB{d,Cj} eC. d epos{xi) ACj epos{xj) }. 

By Rf. we denote the transitive closure of Re- 
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Let Pr be the set of pure positions It is easy to see that defines an 
equivalence relation on T„ if Pr = 0. In this case we will write instead of R'^. 
The equivalence class [P] & Tuf'--^c is defined by [P] {P \ P '-^c P}- 

Definition 7. Let Pr = % and T„/ ~c= {[P^], . . . ,[P'^]} . The decomposition 
problem in oc* is the problem of selecting the proof-relevant [f'\ eT„/ • 

Definition 8. A reduction ordering oc* is called a deadlock iff Pr = Ih and for 
all xePo either {y,x) e c for some unsolved position y, or wait[x] = T. 

In Example 3 we have a decomposition problem in ocj after split {oP , (32) since 
Tu/ ~c= t“*}, In addition, c <2 is a deadlock. 

The same situation is caused by a-reduction when solving cry after /? 2 . 

In general, proof reconstruction will require a solution for a decomposition 
problem if cx* is also a deadlock. This may only occur in non-classical logics and 
is characterized by the following lemma (see [18] for a proof). 

Lemma 1. Let Pr = 0. If oc* is a deadlock then there exists {wi,W 2 }qPo such 
that wait[wi] = wait[w 2 ] = T and [P^] [P^]. 

Thus deadlocks can only occur if there is also a decomposition problem 
Tj ^C= Completeness of proof reconstruction can only be guaran- 

teed if the decomposition problem can be either avoided or solved since otherwise 
proof-relevant formulae might be deleted. A complete solution of the decompo- 
sition problem consists of establishing a selection function which chooses 
the only relevant class [P*\ from oc*. A solution is called adequate if can 
be realized without any additional search. In Example 3 there is a deadlock in 
c <2 and [t“*j [t“®] holds for the two waft-labeled positions 03 , 09 . ib^ should 

select [t“®] since [t“®] does not lead to a proof. 

Decomposition problems cannot be avoided during proof reconstruction. Nor 
can selection functions which are both complete and adequate be characterized 
for their solution. Completeness can be achieved only at the expense of ade- 
quateness, by searching all selections [P'\ until proof reconstruction succeeds. 
We call this kind of redundancy second level redundancy since they cannot be 
solved adequately without the use of additional proof knowledge. 

4 Integrating Proof Knowledge into Proof Reconstruction 

Constructing adequate solutions for a decomposition problem requires additional 
knowledge about the proof search method and the proof knowledge it has gath- 
ered while developing the matrix-proof. In the following we characterize the 
knowledge that must be provided by the proof search method and assume this 
method to be based on the usual extension procedure [1,2, 12]. We will encode 
the proof history of this procedure as reconstruction knowledge in the form of 
prefixed connections and derive a refinement of (3-split and {(3,0) -purity such 
that will always consist of a single class. This makes it possible to avoid 

decomposition problems and deadlocks during the reconstruction process. 
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4.1 Prefixed Connections 

The extension procedure checks the complementarity of sets of paths by following 
connections. It keeps track of the order in which connections have been followed 
and uses active paths to denote the sets of paths with the same initial subpath 
which have not yet been proven complementary. The history of constructing 
a matrix-proof can be expressed by directed connections, i.e. pairs {a,b)eC of 
atomic positions (instead of sets {a, 5}), together with their active path context. 

Definition 9. An active path from a matrix proof (x* is a a sequence Pi = 
{aj,bl)o . . . o(a™% 5™*) of pairs of atomic positions such that each c( is (3-related 
tobf- in GC*, The set {Pi, . . . , of all active paths from a matrix proof oc* will 
be denoted by V. at{Pi) = a\ • • • a™* is called the atom string of path Pi. 

Each connection c e C can be related to the set of active subpaths in which it 
occurs. These subpaths will be represented by a set of prefixes Pre (c) such that 
the cardinality of Pre (c) encodes the multiple use of c in the matrix proof. 

Definition 10. Let c = (a,b) eC be a connection, {Pi, . . . , Pm} P be the set 
of active paths in which c occurs. The set of prefixes assigned to c is defined by 
Pre (c) = I Pre (c) is also called the paths context of c. 

For a set of connections C' CC we define Pref{C) = Ucec' ^’’e(c). 

The basic property of the extension procedure is that all paths through an 
established connection are known to be complementary. Since active paths are 
explored depth-first we know that two connections used in the matrix proof can- 
not have common prefixes, i.e. Pre (ci) H Pre (C 2 ) = 0 if Ci C 2 . From now on we 
shall illustrate matrix proofs and prefixed connections using the two-dimensional 
matrix representation of a formula (see section 2.1), although the reduction or- 
dering oc* remains to be the basic data structure for proof reconstruction. 



Example 4 - Consider the following (classical) non-normal form matrix which has been 
proven valid using the extension procedure with start clause { 2 l^}. 




To obtain a unique indexing we have written atomic positions x from oc* besides the 
atoms Fx. There are five active paths V — {Pi, P2, P3, P4, P5} with 
Pi = (oo, ai)o(o 3 , a 7 )o(os, 09)0(010, 02) P4 = (00,01)0(05,06)0(08,09)0(011,05) 

P2 = (00,01)0(03,07)0(08,09)0(012,013) P5 = (oo, 01)0(05, oe)o(o 8 , 09)0(012, 013) 
P3 = (oo, 01)0(04, Oo) 

The atom strings at(Pi) = pi are pi = O0O3O8O10, P2 = O0O3O8O12, ps = 00O4, P4 = 
O0O5O8O11, and ps = O0O5O8O12. Each connection ceC receives a set of prefixes Pre (c) 
(see next to the matrix). The connections (012, 013) and (os, 09) have two prefixes due 
to their multiple occurrence in the path contexts P2, P5 and Pi,P2, P4, P5 respectively. 

^ q A P denotes that q is an initial substring of p. t denotes the empty string. 
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4.2 Splitting with Prefixed Connections 

Prefixed connections encode multiple occurrences of active subpaths in a ma- 
trix proof. The active paths encode possible split structures of sequent proofs 
wrt. the axioms determined by the connections. Splitting with prefixed connec- 
tions basically derives a classification of the active paths (i.e. prefixes) which 
have been interrupted during j3-split . From this, the operation P-split can be 
refined to extend redundancy deletion along these “interrupted subpaths” . 

Definition 11. Let y be a position in oc* , its subtree, At^ the corresponding 
set of atomic positions, and C? the set of directed connections in <SP ■ We divide 
into the set o/ entry connections C|„ = {(c, d)eC^ | deAt^} and the set 
o/ extension connections = {{c,d)eC^ \ ceAP}. Accordingly, Pref{C^) is 
divided into the set o/ entry- and extension prefixes.- Pref{Cf^) and Pref{C^„,). 

Clj,C\Clx is nonempty iff (c, d)eC^ is a connection and {c,d} C At^ . Splitting 
at a /3-position causes, at a first level, the elimination of a submatrix At^ with 
connections and, at a second level, interruptions of active subpaths. By sepa- 
rating entry- and extension connections after splitting we can identify prefixes of 
connections which depend on deleted connections and determine the interrupted 
active subpaths. Prefixes depending on extension connections cannot contribute 
to a subproof any longer and are forward redundant. Prefixes depending on entry 
connections are backward redundant towards a minimal subprefix. 

In order to eliminate this kind of redundancy, we must respect these de- 
pendencies while deleting connections during P-split and {P,0) -purity . In a 
first step we will eliminate prefixes from C which are redundant wrt. the deleted 
connection set . For this we need a copy of the original matrix proof, i.e. the 
reduction ordering and connection set. Moreover, we define a concept of a-related 
subproofs in a matrix in order to capture non-normal form reduction steps. 

Definition 12. Let (X*, Co denote the original matrix proof . For a prefix qXq let 
Ato be the minimal submatrix in oc* such that q e Pref{Co) denotes the entry con- 
nection and qXq e Pref{Co) the extension connection in Atg. The set o/a-related 
subproofs of qXq is determined by the prefix set T^^” — {te Pref{Co) \ qXq t}. 
The set of atomic positions which are involved by lS^‘‘ is defined as: 

Po^” = {a&Ato\^c={ci,C2)&Cf.3t&To^'‘.a=ci\/ a=C 2 A tePre(c)} 

During the conversion process, the set of a-related subproofs of qXq is denoted 
by C . The corresponding atomic positions are given by C Po^‘‘ . 
Backward redundancy starts the deletion process at an entry prefix p and termi- 
nates at a minimal subprefix g of p which is determined either by a non- normal 
form reduction step in ex* or by the original matrix proof ex*. 

Definition 13. Let D C Pref{Co), P^D, and Mqx,^ C Tf^” . q is called the 
minimal subprefix of p wrt. D, Mq^^ iff q e Pref {Co) U {e}, q -<p, and either 

1. q is the maximal initial substring of p for which there are t,qXq&D such 
that qXq Pp Pt and t e Mq^^ , or 

2. q is the maximal initial substring of p for which q^D. 

For abbreviation, we write q <minP wrt. D,Mqx^. 




272 S. Schmitt and C. Kreitz 



For a position set P we abbreviate Vy e P. X'^aU by x^aP (assume x^ax). 

Definition 14. Let p be an entry prefix and q its minimal subprefix. The oper- 
ations for deleting backward and forward redundancy are defined by: 
delen {p, q) = {s\qXg d: s A p -fi. s A x'g P’^^‘>} and dehx (p) = {s\pd «}■ 

delen {p, q) covers all active subpaths s which have an entry connection with 
a prehx p as a direct or as an indirect subgoal. Suppose that y is the /3-position 
for splitting. A connection with prefix p uses an atom from AP as entry point 
and will become open ended or “interrupted” after deletion of At^. Hence, no 
split ordering in a sequent proof can close the subpaths s between the a-related 
subproofs of qXq and all s with p s^ using the remaining connections from oc*. 

delex (p) describes all active subpaths s which depend on an extension con- 
nection with prefix p. Each such connection uses an atom from Af^ as extension 
point and will receive an open beginning after the deletion of AW. Again, the 
subpaths s cannot be closed with the given connections. 

In the following we extend these deletion operations to all entry / extension 
prefixes Pre/(C|„) / Pref{Cf^) of a submatrix AP which has to be deleted next. 
This extension is defined stepwisely since the result of one deletion step may 
influence the remaining candidate sets for the next step. The resulting prefix set 
depends on the order of prefix selection during this iteration and does not lead 
to unique subproofs after splitting. 

Definition 15. LetC be the connection set of gP and y be a position in oc*. Let 
Pref{Cfn) the set of entry prefixes and Pref{C^fi) be the set of extension prefixes 
corresponding to C^. We set = Pref{C), = Pref{Cf.jfi, Pj^^ = Pref{Cy^), 
= T” for all rePref{C), and = 0. Then we define the following iteration: 
D* = \ S-b n Pi"\ M; = n for all reD\ 

PL = D^r\Pi~\ = {Q^-^yjufi\S^ 

until i = n such that Pfi„ = Pfi^ = 0. During iteration we have: 
i ^ f deLn [p, (?) for a p e P*~^ with <? p wrt. 

y delex (p) for a p e P*”^ 

W = {gxq \qXq^D^ Ay Pg Xq A 7 ^ 0 A = 0} 

The redundant prefixes are given by the sets S'*, depending if deletion of back- 
ward redundancy peP*”^ or forward redundancy p&Pfif^ has been performed. 
The sets C/* denote unblocked redundancies caused during deletion of 5*. They 
consists of already deleted prefixes qXq whose a-related subproofs Mqx^ have 
blocked deletion of backward redundancy in former steps. If step i results in a 
complete deletion of the blocked backward deletion wrt. qXq has to be 

continued. If y Xq (where y is the splitting node) continuation of backward 
deletion has to be performed by fi-split in order to retain soundness. The sets 
W will be collected in a set Qi and regularly updated modulo the actual dele- 
tion set SA This operation forces the sets to deal with prefixes which have 
not necessarily been deleted from in the actual step. The concept ensures 

a robust treatment of ordering dependencies in which prefixes will be selected 
from the candidate sets P*„ and P^^. In order to characterize a complete prefix 
deletion we integrate the elimination of unblocked redundancies as follows: 
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Definition 16. We start with the sets D", Q", and M” for all r&D^. Then 
Ijn+j ^ gj ^ jjn+j PI for all r e 

g„+j ^ (Q«+0-i) uu^)\ 

until j = m such that (5"+™ = 0. Again, we use during iteration: 

= delen(p,q) for a with g P wrt. L) {p}, 

W = {qx, I qXq^D^+i Ay f^gx, A 0 A Mf+f = 0} 

pref-del{C ,0^) denotes the complete operation prefix deletion in C wrt. a con- 
nection set and yields a set C with Pref{C) = D"+™. 

Obviously, Pref{Cy) = 0 after applying pref-del{C,C^) since s = p satisfies the 
conditions of Definition 14, for all pe Pref{C^). A connection ceC is called re- 
dundant if it does not occur within at least one active subpath, i.e. if Pre (c) = 0. 

Definition 17. Let y be a position in oc* and C C be the connection set 
corresponding to AP . Then connection deletion in C wrt. is defined by 
con-del {C,C^) := C' \ {c | Pre{c) = 0}, where C = prefidel{C,Cy) . 

Redefining the split operation. An extended elimination of redundancies 
during proof reconstruction is realized by redefining the split operation at f3- 
positions. Connection deletion during /3-split and {/3,0) -purity is determined 
by C \ wrt. the deleted submatrix Afi^ . The refined connection deletion will 
remove all interrupted subpaths from C such that C {ceC' | Prec{c) = 0} 
will hold. This incremental process guarantees redundancy deletion on the “low” 
connection level and on the “higher” level of paths contexts. As a consequence, 
redundancy will be deleted already when it occurs and not when it becomes 
visible in form of a decomposition problem in oc*. 

The refined connection deletion requires us to modify some definitions since C 
is now a set of directed connections. We redefine in Definition 1 as {(ci , C 2 ) 6 C | 
Cl epos(a:) VC 2 6pos(a;)} . In Definition 2 we replace Ci := C by Ci := 

con-del{C,C^:i). Definition 4 is modified by extending b&c to directed connec- 
tions c = (ci,C 2 ) when defining the set Pr and removing the boxed part in 
(/3, 0) -purity since the refinements of fi-split avoid further prefix and connection 
deletions. Finally, the split operation from Definition 5 uses the new /3-split and 
{/3, 0) -purity . The following example illustrates the refined operations. 

Example 5. Consider the proof history from the extension proof of Example 4. During 
proof reconstruction we split at the clause {ifi , {B^ , D^}, CP} (dashed boxed) by solv- 
ing a /3-position x in oc* with succ(x) = {* 1 , 012 }. We have AP^ = {ag, oio, an}, C///, = 
{(a8,ag)} with Pref{Cffi) = {agasos, agasos}, and C13 = {(aig, ag), (an, as)} with 
Pref{Cf^) = {agaaasaig, agasasan} . Similarly, AP^'^ = {aig}, = {(ai 2 ,ai 3 )}, 
and Pref/C/P) = {agaaasaig, agasasaig}. Applying (3-split{(x.* ,x) results in 

oci = oc* (i.e. deleting literals and Ci = con-del (C,C^^), 

oc 2 =oc*\P^^ (i.e. deleting literal C°) and Cg = con_deZ(C,C“^^). 

We illustrate the connection deletion wrt. oc}. The operation pref-del(C,C^^) starts 
with an initialization according to the first row of the table below. We begin with 
the entry prefix agaaas and its minimal subprefix q=ao, Xq=as. The first deletion 
set is given by 5^ where the a-related subproof prevents deletion of agas (see 
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Definition 14 ). The second step selects aoasas with minimal subprefix oo and Xq=az. 
The whole iteration yields O'* = {oo, Oo03asai2, 000508012}, Q'^ = {0003,0005} and 
= 0 for all r&D'^. Prefix deletion in oc* has to be completed by eliminating the 
unblocked redundancies Q'^ according to Definition 16 . (see the right hand side of 
the table). We select O0O3 with its minimal subprefix q = e and Xq = oq. Recall, 
that S'® also contains all prefixes from which were not contained in D'^. Thus, 
after one step, we obtain Q® = 0 and terminate with pref-del{C,C^^) = C where 
Pref{C) = D® = {00O3O8O12}. 



i 


select 




p;„ 


PL 


S' 


0 


- 


Pref(C) 


{aoasagj aoO'5Q'8} 


{aO<^3<^8<^105 a-0<^5Q^8Q^ll} 


0 


1 


ao<^3<^8 


D° \ 


{aQO-sag} 


{aO<^3<^8<^105 a-0<^5Q'8®ll} 


{aoasas? a-o<i3j 0 . 0 ^ 4 } 


2 


ao<^5<^8 


\ 


0 


{aO<^3<^8<^105 a-0<^5Q^8®ll} 


{aoa^ag, ogas} 


3 


aoCi3<^8<^io 


\ 


0 


{aoasas^ii} 


{aQO-sagaio } 


4 


aoa^asaii 


\ S* 


0 


0 


{aoa^agLLii } 
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U' 


Q' 
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select 




Q' 


U' 


S' 


0 


{aocisagaio} 


{aoa 5 a 8 O. 11 } 


0 


0 


J 


- 








0 


1 


{aoasagaio} 


{ 000508011 } 


0 


0 


5 


0 . 00.3 


\ 


0 


0 


{oq, 000503012 } U Q 4 


2 


{aoo.3a8<^io} 


{oo05080ii} 


0 


0 
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0 


{Oo05080ii} 


{aoas} 
















4 


0 


0 


{ooas} 


U 















Finally, fd-split performs connection deletion wrt. oc}: con.del{C,C^^) = {(012,013)} 
with Pre ((012, 013)) = {00O3O8O12}. The refined sp/if-operation terminates on oc* with 
applications of the refined {f 3 , 0 ) -purity . The set p. is initialized with all atomic 
positions of oc}, except 012 and 013. Additional connection deletions are not required 
and all subrelations depending on iterative updating of P will be deleted from oc* (see 
Definition 4 ). The resulting relevant submatrix corresponding to oc}/ is shown below: 

!C*^ai2l C^ai3 

The example can easily be extended such that the “conventional” application of fd-split 
would cause a decomposition problem in oc}/ . 

5 Complexity, Correctness, and Completeness 

We will now show that the refinements of the (3-split operation which we intro- 
duced in sections 3 and 4 do in fact lead to an adequate and complete proof 
reconstruction procedure. Since a traversal of oc* can be completed in polyno- 
mial time if no deadlocks are present, it suffices to prove that the refined split 
operation has a polynomial complexity in the size of the matrix proof (ade- 
quateness) and that splitting with prefixed connections deletes all redundancies 
from a matrix proof (completeness). The proofs of the following lemmata and 
theorems can be found in the first author’s technical report [15]. 

Complexity. The size of a matrix proof is usually defined as the number of 
inference steps for testing a mating C to be spanning. This measure is equiv- 
alent to the number of active paths j'Pj in a matrix proof which may increase 
exponentially in the size of cx*, i.e. the number of positions. 

Lemma 2. Let \V\ he the size of a matrix proof, n the maximal length of paths 
Pi&V, and k the maximal length of (non-normal form) clauses in oc*. Then 
\V\ eO(k'^) and n is polynomial wrt. the size of oc*. 
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The refinements of the operation (5-split are based on the deletion of pre- 
fixes wrt. a prefix set Pref{C^). Testing the basic elimination conditions (Def- 
inition 14) as well as computing the relevant sets during the iteration process 
(Definition 15 and 16) can be done in polynomial time in the size of \Pref{C)\. 
But this this complexity is polynomial wrt. the size of the matrix proof \V\. 

Lemma 3. Let C be the spanning mating from a matrix proof, Pref{C) its prefix 
set, and k,n as in Lemma 2. Then |Pre/(C)|eC>(fc"). 

The number of purity applications within {(3,0) -purity is determined by 
the possible updates of the set Pr, which is polynomial wrt. the size of oc*. 
Lemma 3 also states that integration of proof knowledge Pref{C) into the proof 
reconstruction process requires polynomial (space) complexity wrt. \P\. From 
this we conclude the following adequateness theorem: 

Theorem 2. The refined split operation split {oc*, x) at a (3-node x using prefixed 
connections is polynomial wrt. the size of the matrix proof \P\. 

In special cases the size \V\ of a matrix proof and the size \C\ of its spanning 
mating may differ exponentially. If k,n are defined as above and all active paths 
Pi&P share the same connections from C, we find examples such that \C\ < n-k 
and \V\^0{kT). Hence, the additional search complexity on a decomposition 
problem when using spanning matings C may be transformed into an exponen- 
tial representation requirement for \P\ when integrating prefixed connections. 
However, the complexity of a matrix proof is reflected more adequately when 
taking its size \V\ into account. Furthermore, conversion with prefixed connec- 
tions avoids redundant steps in the resulting sequent proof which cannot be 
guaranteed when using matings together with additional search. 

Correctness and Adequate Completeness. The correctness of the conver- 
sion procedure using prefixed connections is obvious. The split operation with re- 
fined connection deletion cuts subrelations from oc* without violating the relation 
C in the remaining part of cx*. Incorrect applications of sequent rules wrt. rule 
non-permutabilities are impossible. Thus, reconstructing a sequent proof from 
oc* implies that the input formula is valid wrt. the selected logic. 

In order to prove completeness we show that no redundant connections will 
survive in the oc* after applications of the refined split operation. 

Lemma 4. Let oc* represent an extension proof with connection set C. Let x 
be a (3-node and C[ C C be the connection sets of oc*, after executing the refined 
split operation at x. Then a connection ceC is proof-relevant wrt. oc* iff c&C{. 

The occurrence of a decomposition problem T„/ ~c= [!“"]} is always 

based on redundant connections since only a single [P'] is proof-relevant. From 
Lemma 4 it also follows that T„/ ~c= {[^“]} for aePu. According to Lemma 1 
this implies that cx* will be deadlock free during the whole proof reconstruction 
process which leads to the concluding theorem. 

Theorem 3. Let x be a (3-node. The extended split operation split{o<t,x) is 
correct and adequately complete for redundancy deletion in oc* . 
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6 Conclusion and Future Work 



We have presented a method for eliminating redundancies during a conversion 
of matrix proofs into sequent proofs. Our approach refines the proof reconstruc- 
tion procednre presented in [17, 7] and covers classical and intuitionistic logic, the 
modal logics K, K4, D, DA, T, S'4, 55, and fragments of linear logic. For obtaining 
adequate (search-free) completeness of proof reconstruction, we have classified 
two levels of redundancy. We have shown that adequate solutions require addi- 
tional knowledge from proof search in the matrix calculus. Assuming the usual 
extension proof search strategy we have introduced prefixed connections as a 
means for representing a proof history. We have integrated this concept into the 
proof reconstruction procedure and shown that the refined procedure will always 
generate a sequent proof in polynomial time wrt. the size of the matrix proof. 

In the future we will make use of the uniformity of our approach and combine 
it with existing proof procedures for non-classical logics in order to guide deriva- 
tions in interactive proof development systems. We will also be able to extend 
our approach to additional logics, such as larger fragments of linear logic, as 
soon as matrix characterizations and proof procedures have been developed for 
them. Apart from this we will generalize the concept of prefixed connections to 
other proof strategies. For example proof histories from tableau based proof pro- 
cedures [13] may be expressed in terms of extension proofs in order to combine 
tableau provers with our proof reconstruction procedure as well. 
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Abstract. The paper presents a one-pass tableau calculus PLTLt for 
the propositional linear time logic PLTL. The calculus is correct and 
complete and unlike in previous decision methods, there is no second 
phase that checks for the fulfillment of the so-called eventuality formu- 
lae. This second phase is performed locally and is incorporated into the 
rules of the calculus. Derivations in PLTLt are cyclic trees rather than 
cyclic graphs. When used as a basis for a decision procedure, it has the 
advantage that only one branch needs to be kept in memory at any one 
time. It may thus be a suitable starting point for the development of a 
parallel decision method for PLTL. 



1 Introduction 

Temporal logic has proved to be a useful formalism for reasoning about execution 
sequences of programs. It can be employed to formulate and verify properties of 
concurrent programs, protocols and hardware (see for instance [1], [13], [14]). A 
prominent variant is the propositional linear time logic PLTL where the decision 
problem is known to be PSPACE-complete [15]. In most of the previous publi- 
cations the decision algorithm itself has been presented as a 2-phase procedure: 

1. A tableau procedure that creates a graph. 

2. A procedure that checks whether the graph fulfills all eventuality formulae. 

The second phase usually leads to an analysis of the strongly connected com- 
ponents (SCC) of the graph (see e.g. [16]). Typical descriptions of this 2-phase 
method can be found in [17] and [9] where, in both cases, the second phase is 
not treated formally. 

The tableau method presented in [12] is claimed to be incremental, where 
‘incremental’ means that only reachable nodes are created (this is also true for 
[17] and [9]). However, it is essentially still a 2-phase procedure. The focus there is 
on providing a refined method for linear temporal logic with past time operators. 

H. de Swart (Ed.): TABLEAUX’98, LNAI 1397, pp. 277-291, 1998. 
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The above methods can treat the verification problem directly as a logical 
implication ‘spec — >■ prop', where spec is the PLTL formula representing a speci- 
fication and prop the formula representing a property to be verified. The essence 
of the problem is to show the validity of this implication in PLTL. 

An alternative approach uses state-based methods (also referred to as ‘model 
checking’). One possibility is to translate both the specification (e.g. of a proto- 
col) and the negation of the property into labeled generalized Biichi automata, 
where the property automaton is also generated by a tableau-like procedure. A 
second phase then checks whether the language accepted by the synchronous 
product of the two automata is empty. Once again, in general, this involves an 
SCO analysis. In [7] it is claimed that the check for emptiness can be done ‘on- 
the-fly’ during the generation of the product: the tableau-like procedure builds 
the property graph in a depth-first manner choosing only successors that ‘match’ 
the current state of the protocol. Validity can also be checked using this method. 
However, it is not clear from the description whether the procedure remains ‘on- 
the-fly’ when there is no protocol to ‘match’. In [2] it is shown how a generalized 
Biichi automaton can be transformed into a classical Biichi automaton for which 
the emptiness check reduces to a simple cycle detection scheme. So in the area 
of state-based methods similar attempts have been made to intermix the two 
phases and to avoid a standard SCC analysis. 

Here we present a one-pass tableau calculus which checks locally, on-the-fly, 
for the fulfillment of eventuality formulae on a branch- by-branch basis. No second 
phase is required. It can also be used for an incremental depth-first search where 
only reachable states are created. Derivations in this calculus result in (cyclic) 
tree-like structures rather than general graphs. Thus, the analysis of strongly 
connected components reduces to the detection of ‘isolated subtrees’, a task 
which is very simple and which can therefore be incorporated easily into the 
calculus. The new aspects basically consist of: 

1. A branch-based loop check that ensures termination. 

2. A part that synthesizes the essential information gleaned from expanding 
the subtrees of a node. 

The 2-phase methods require the creation of a fully expanded tableau, which is 
often exponential in the size of the initial formula. Since our method involves only 
one pass and is complete, we can stop as soon as a (counter-) model is detected, 
thus, (sometimes) avoiding a fully expanded tableau. A further advantage is 
that only one branch of the derivation tree needs to be considered at any stage. 
Therefore, the calculus PLTLt is a natural analogue of the tableau and Gentzen- 
style sequent calculi for various modal logics, for instance K, KT and S4 (see e.g. 
[6], [8], [3]), where derivations are also trees, where it is always sufficient to 
consider one branch at any one time and where a check for loops is sometimes 
required to guarantee termination (see e.g. [11]). 

While the two phases of the previous methods are an obstacle for paralleliza- 
tion, the branch-by-branch treatment offers natural possibilities for concurrent 
search. Of course, at the end, the resultant parts would need to be combined, but 
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until then the processors could work independently on different subtrees without 
extra-communication. 

There is of course a caveat. Since a naive derivation in RLTL^ essentially 
unfolds a graph into a tree, the run-time may be significantly higher, especially 
for examples where the graphs have (relatively) few nodes and many edges. 
Clearly, the calculus must be applied in combination with suitable pruning and 
caching techniques. Algorithmic aspects, however, are beyond the scope of this 
paper. We will focus on the new definitions and the key lemmata and theorems. 
Simpler observations are stated as propositions without proofs. 

2 Syntax 

In the following we deal with an extension C of the language for classical propo- 
sitional logic. It comprises: I. Countably many propositional variables po)Pi) ■ • 

2. The propositional constants true and false. 3. The connectives A, V, X 
(neXt time), F (sometime), G (generally), U (until), and B (before). As auxili- 
ary symbols we have parentheses and commas. The formulae of C are inductively 
defined: 1. The propositional variables and constants are formulae. 2. If A and 
C are formulae, then (-■A), (XA), (FA) , (GA), (A AC), (AvC), {AUC), and 
{ABC) are formulae. 

The set of propositional variables is denoted by Var and the set of all for- 
mulae by Fml. As metavariables for propositional variables we use P,Q, and 
as metavariables for formulae A, C, D, possibly with subscripts. Propositional 
variables are also called positive literals] if P is a propositional variable then ->P 
is a negative literal. As metavariable for positive literals we use P and as meta- 
variable for literals M , possibly with subscripts. In order to increase readability, 
we omit outer parentheses and define the unary connectives to take precedence 
over all binary connectives. For example, we write F {p^Upi) A {po B AKpi) for 
the formula ((F {p^Upi)) A (po B (^(Xpi)))). 

3 Semantics 

Definition 1. A PLTL-model is a pair (S,L), where S is an infinite sequence 
of states (sj)jgN = sq Si . . . and L : S ^ Pow(Var) is a function which assigns 
to each state a set of propositional variables. L is called a ‘labeling’. 

Definition 2. Let M = (S,L) be a PVJCmodel, si € S, and A G £. The 
relation ‘Ai satisfies A at state sf, formally A4,Si ^ A, is inductively defined: 

1. Ai,Si \= true and M, Si ^ false. 

M,s,^P iff PeL{si). 

3. M,Si 1= -lA iff M, Si ^ A. 

4-. At, Si 1= A A C iff At, Si\= A and Ai,Si ^ C. 

5. Ai, Si 1= A V C iff At, Si \= A or At, Si j= C . 

6. At, Si 1= XA iff At,Si+i \= A. 
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7. M,Si\= Q A ijf M, Si+j |= A for all j > 0. 

8. Ai, Si ^ A iff there exists a j > 0 such that A4, Si+j ^ A. 

9. A4, Si 1= AU C iff there exists a j > 0 such that A4, Si+j |= C and 
M , Si+k H ^ all 0 < k < j. 

10. A4, Si \= ABC ijf for all j > 0 with M . , Si+j ^ C there exists a 0 < k < j 
with A4, Si+k 1= A. 

If M,Si \= A for all Si G S, we write M\= A. A formula A is PLTL-satisfiable iff 
there exists a PVJL-model Ai = (S,L) and a state Si € S such that A4, Si ^ A. 
A formula A is PLTL-valid ijf Ai \= A for all PUL-models Ai = {S,L). Then 
we write PLTL |= A. 

Formulae which contain the symbol -■ only immediately before positive lite- 
rals are called formulae in negation normal form. The PLTL-valid equivalences 
(^Xyl o X^A), o F-^), {^{AUC) o {^ABC)), and {-^{ABC) o 

{-'AU C)) allow us to push the negation inwards and to obtain for any for- 
mula an equivalent formula in negation normal form. In the following we restrict 
ourselves to formulae in negation normal form. 

Definition 3. The complement A of a formula A in negation normal form is 
inductively defined as follows. 1. true := false and false := true. 2. P := ~<P 
and ~^P := P. 3. A /\C := (A V C) and A\/ C := {A /\C). 4- GA := FA and 
FA:=GA. 5. ~ABC -.= AUC andAUC-.= ABC. 

Definition 4. We classify the formulae in negation normal form: 1. Proposi- 
tional constants, literals and formulae of the form XA are called elementary. 
2. All other formulae are called non-elementary and can he represented either 
as a-formulae (conjunctions) or as (3-formulae (disjunctions) according to the 
following tables: 



a 


<Xl 


CX2 


aac 

QA 

ABC 


A 

A 

C 


C 

XGA 

AVX(ABC) 



(3 


(3i 


P2 


Aye 


A 


c 


FD 


D 


XFD 


CUD 


D 


>< 

< 

0 



j3-formulae of the form F D and CUD are also called eventuality formulae or 
eventualities for short; in order for these formulae to hold at a certain state in 
a model, there must be a future state where D ‘eventually’ holds. 

In the following we use a, «i, «2 to denote an a-formula and its conjuncts 
and (3, (3\, (32 to denote a /3-formula and its disjuncts. Moreover, we assume for 
the rest of the paper that there are no formulae of the form F D; they can be 
written as trueU D. 

Definition 5. We define the closure cl(A) for any formula A in negation nor- 
mal form: 1. A is in cl{A). 2. If-'P is in cl{A), then P is in cl{A). 3. IfXB is 
in cl{A), then B is in cl{A). )■ If ex is in cl{A), then «i and 02 citc in cl{A). 
5. If (3 is in cl{A), then (3i and /?2 is in cl{A). 
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The closure of a formula is essentially the set of all subformulae augmented 
with the «2 and P 2 parts of the temporal connectives. It is also called the Fischer- 
Ladner closure [5]. Before we turn to Hintikka structures for PLTL, we define 
some properties for more general ‘labeling’ functions which assign to states sets 
of formulae rather than sets of variables. 

Definition 6. Let S he a (possibly finite) sequence of states sq si ■ • L a fun- 
ction L : S ^ Pow(Fml), and Si € S. 

1. Propositional consistency properties: 

(PCO) false is not in L{si). 

(PCI) If a literal M is in L{si), then its complement M is not in L{si). 
(PC2) If a is in L{si), then oi and 02 are in L{si). 

(PCS) If (3 is in L{si), then fii or P 2 is in L{si). 

2. Local consistency property: 

(LC) Ify^A is in L{si) and Si is not the last state if S is finite, then A is 
in L{si+i). 

We say that I fulfills one of the above properties if the respective condition 
is satisfied for all states Si of the sequence S. 

In the next definition we describe the set of eventualities that are not ‘satis- 
fied’ in a sequence of states. 

Definition 7. Let S he a (possibly finite) sequence of states sqSi ... and I : 
S — >■ Pow(Fml) a labeling. Then the set open{S,L) of eventualities is defined as: 

open{S, I) := {CU D \3i{Cl4 D G L{si)) and Vj > i{D ^ L{sj))}. 

The following definition of a (pre-)Hintikka structure can be found in the 
literature (e.g. [4]). 

Definition 8. A pre-Hintikka structure TL is a pair {S, I), where S is a sequence 
of states (sj)igN = sq si . . . and I : S ^ Pow(Fml) is a labeling function that 
fulfills the properties (PCO-3) and (LC). 

By restricting the labeling function L to variables, we can associate with each 
pre-Hintikka structure % = (S,L) a model Mu ■= (S', TfVar). 

Definition 9. We say that a pre-Hintikka structure TL = (S, L) is a Hintikka 
structure if open{S, L) = 0 , that is, if we have for any state Si and any eventuality 
CU D: If CU D G L{si), then there exists a j >i with D G L{sj). 

TL is said to he a (pre-) Hintikka structure for a formula A if A G L{so). We 
say that TL is a complete (pre- (Hintikka structure for A if for all i: L(si) = 
{C\C G cl{A) and Mn, Si h C}. 

Note that any Hintikka structure for A can be made into a complete Hintikka 
structure for A by adding to L{si) all formulae of the closure that are satisfied at 
Si. The following standard theorem relates the existence of Hintikka structures 
to the existence of models. 
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Theorem 1. A formula A in negation normal form is PUL-satisfiable iff there 
exists a Hintikka structure for A. 

Proof. See for instance [9]. 

In the following we deal with a set W of words over an alphabet S. We write 
ws for the concatenation of a word w and a single element s € S. Similarly, 
we write ww' for the concatenation of the two words w and w' . w and w' may 
also be the empty word. Now we introduce a new type of structures which are 
essentially trees with loops on their branches. 

Definition 10. A loop tree is a tuple T = {W, S, L, R) where: 

1. S is a finite set. 

2. W is a finite set of finite words over S where: 

a) If w = sqSi . . . Sfe G W , then Si yf Sj for all 0 < i < j < k. 

3. R is a binary relation on W with the following properties: 

a) {w, ws) € R for all w, ws € W. 

b) If w € W and ws ^ W for all s € S, then there exists a word w' € W 
such that w' is a prefix of w and {w, w') € R. 

c) If {w, w') € R, then either w' is of the form ws or w' is a prefix of w. 

4 . L : W ^ Pow(Fml) is a labeling function with the property: L{ws) = 
L{w' s) for all ws,w's € W. 

The set S can be viewed as a set of 
nodes and the words W as directions 
how to reach these nodes. The condi- 
tions say that a word should contain a 
node only once, and that words which 
cannot be extended are related to a 
prefix. This means that we basically 
have a tree-like structure with loops 
back on the branches where at the end 
of each branch we have at least one 
loop back. The arrows in Fig. 1 corre- 
spond to the relation R. The labeling 
is controlled by the last node of a word. 

A word is essentially the last node plus 
the information how it is reached. The- 
refore words will also be called states. 

Definition 11. Let T = {W, S, L, R) 
be a loop tree. 

1. If ws € W and w ^ W, then ws it 

2. A path through T is a finite or infinite R-sequence of states wq, . . . ,Wi, 
Wi+i,..., where {wi,Wi+\) G R for all Wi of the sequence (except the last 
one if the sequence is finite). 




L> 



Fig. 1. Example of a loop tree. 



called a root o/T. 
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3. A loop branch o/T is a finite path wo,wi, . . . ,Wk, Wk+i through T where wq 
is a root and for all i < k lUi+i = WiSi for some Si € S. The last state Wk+i 
is identical to a previous state, i.e. Wk+i = wj for a j < k, and it is called 
the loop state of the branch. The suffix path Wj,Wj+\, . . . ,Wk, Wk+i is called 
the loop of the branch. We say that a path tt visits the loop branch or simply 
the loop if Wk,Wk+i occurs inn (as a pair of consecutive states). 

4 . If n = Wq, . . . , Wj,Wj+i, . . . , Wk, Wk+i is a loop branch, the set openj^f (tt, L) 
is defined as: 

openj„f(7T, L) := {CU D \ C14 D £ openin, L) 

and yi, {j < i < k ^ D L{wi))}. 

5. The function depth^ : IT — >■ N zs defined as follows: 1. depth^(w) := 0 for 
any root w ofT. 2. depth^(ix;s) := depth^(w) -I- 1 for any w, ws G W. 

Remarks: 1. Note that a loop tree may contain several roots and may there- 
fore represent several tree-like structures. 2. A loop branch is defined to contain 
the backward loop. Therefore a ‘physical branch’ can contain several loop bran- 
ches that share a common prefix path (see Fig. 1). In particular, loops may also 
start at non-leaf nodes. 3. Obviously, open;„f ( tt, L) is a subset of open{n,L). It 
denotes the eventualities of tt which are not satisfied on the loop itself even if it 
is visited infinitely many times. 

Proposition 1 . If Wj,Wj+\, . . . ,Wk,Wk+i is a loop (wk+i = Wj) and a path tt 
visits it repeatedly (i.e. multiple occurrences ofwk,Wk+i on it), then obviously all 
other states of the loop Wj+i , . . . , w^-i must occur in tt between two occurrences 
of Wk,Wk+i, although not necessarily in a row. 

Definition 12. Let T = {W, S, L, R) be a loop tree. The subtree of T at w G IF 
is a structure T' = {W',S',L',R') defined as follows: 1. S' := S. 2. W' := 
{W I ww' G IF}. 3. R' := {(W, W') I {ww',ww") G R}. f. L' := L\W' . 

We say that T' is an isolated subtree ofT if (w',v) ^ R for any w' G IF' and 
v£W\W'. 

An isolated subtree is obviously a loop tree. Whether or not a subtree is 
isolated can be determined easily by checking the loop states of the loop branches 
that pass through the subtree’s root. 

Lemma 1. Let T = (W, S, L, R) be a loop tree and T' = {W',S',L',R') the 
subtree at w £ IF. Then we have: T' is isolated iff 

depth.y-(rt;) < min({depth. 7 -(w') | w'is a loop state of a 

loop branch ofT containing ru}). 

Proof. If T' is isolated, then no loop branch of T containing w can have a loop 
state outside T'. Since w is the root of T', the depth of a loop state must be 
greater or equal than the depth of w. 

Conversely, if the depth of a loop state is greater or equal than the depth 
of w, then it must belong to T' since a branch may only loop back on itself. 
Therefore T' must be isolated. 
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Definition 13. 

1. A pre-Hintikka-tree is a loop tree T = (W, S, L, R) where L fulfills the pro- 
perties (PCO-3) and (LC) for all paths through T . 

2. A Hintikka-tree for a formula A is a pre-Hintikka-tree T = fW, S, L, R) 
with the additional property that there exists an infinite path n = wq,wi, . . . 
through T with A G L{wq) and openljr, L) = 0. 



Proposition 2. Let tt = Wj,Wj+i, . . . ,Wk,Wk+i be the loop (wk+i = wj) of a 
pre-Hintikka-tree T = {W, S, L, R). Then we have: If an eventuality CUD is in 
open;„f (tt, L), then CU D and X{CU D) are in L{wi) for all i with j <i < k. 

The following lemma states that the open eventualities of a path depend in 
a simple way on the unfulfilled eventualities of single loop branches. 

Lemma 2. Let it be an infinite path through the pre-Hintikka-tree T = 
(W,S,L,R) and 7ri,...,7Tm be the loops of T that are visited infinitely many 
times by tt. Then we have: 

open{-K,L)= Pi openi^f{TTi,L). 

Proof. D: Let CU D he in rii=i m ^)- There is a point in time after 

which only the loops tti , . . . , and, therefore, only states from tti , . . . , tt^ are 
visited, li CUD G open;„f(7rj, L), then D is not in any state of tt^, and by 
Proposition 2 we know that CU D is in each state of tt^. Therefore CUD must 
be in open^ir, L). 

C: Let CU D be in open^n,!). Then there is a state s in tt such that for 
any future state s' the formula D is not in L{s') but X(CU D) is in L{s') . This 
implies that for any state s" from tti, . . . , tt™ the formula D is not in L{s") and 
X{CU D) is in L{s”) since by Proposition 1 all these states are visited by tt after 
s. Therefore CU D is in open-^^f{TTi, L) for all (t = 1 . . . m). 

Theorem 2. There is a Hintikka structure for a formula A iff there exists a 
Hintikka-tree for A. 

Proof The direction from right to left is obvious. If T = (W,S,L,R) is a 
Hintikka-tree for A then simply choose a path tt = wgwi . . . through D with 
A G L(wo) and open{TT,L) = 0. {tt,L) is then a Hintikka structure for A. 

For the direction from left to right assume that TL = {S, L) is a Hintikka 
structure for A with S = SqSi . . . .... First, we introduce an equivalence 

relation ~ on the elements of S: Si ~ Sj iff L{si) fl cl{A) = L{sj) fl cl{A). 

The equivalence class of Si is denoted by [s^]. We construct a Hintikka-tree 
T = (W,S',L',R) for A in the following way {w,w',w" may be the empty 
word) : 

1. S' := S/^. 

2. W and R are defined inductively: 
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a) [so] is an element of W. 

b) If w[si] is an element of W, then we distinguish two cases: 

i. If w[si] contains a state equivalent to s^+i, that is, if w[si] = 
and Sj ~ Si+i, then (rc[si], w'[sj]) is in i? (a loop). 

ii. Otherwise iu[si][si+i] belongs to W and (w[si],r(;[si][si+i]) is in R. 

3. The labeling L' is defined as L'{w[si]) := L{si) 0 cl{A). 

The structure T is obviously a loop tree. S' is finite since cl{A) is finite, 
L' satisfies (PCO-3) and (LC), and by the construction there is a path tt = 
Wq,Wi,... through T (corresponding to SpSi • • •) with wq = [sq], A € L'(wo) 
and open{7T, L') = 0. Therefore T is a Hintikka-tree for A. 

4 The Calculus PLTLt 

We present a Tableau-like calculus for PLTL that is complete and correct with 
respect to the PLTL semantics. It operates on so-called prestates which contain 
the full information needed to decide satisfiability of formulae in negation normal 
form. 

In the following we use F and S for finite sets of formulae in negation normal 
form, and A for sets of literals (and possibly constants). We also write A,F for 
the set {4} U F, and T, S for the union F U S, and XT is used for the set 
{XA \A€F}. 

For lists we have the following conventions: We use * for the concatenation 
of lists and [] for the empty list. If M is a list, then we write len{M) for the 
length of M and M[i] for the element of M (1 < t < len{M)). If M is a list of 
tuples, then we write M[i]j to denote the projection to the j**' element of M[i]. 
Definition 14. A prestate is a triple {F, Save, Res), also written as F\Save 
I Res where: 

1. F is a finite set of formulae in negation normal form. 

2. Save is a structure to store history information. It is a pair {Ev,Br), also 
written as Ev ; Br, where Ev is a set of formulae in negation normal form 
representing the currently satisfied eventualities, Br is a list of pairs {F' , Ev') 
representing the current branch, and F' and Ev' correspond to the F and Ev 
parts of previous prestates. 

3. Res is a structure to store partial result information. It is a pair (n,uev), 
where n is a natural number indicating the ‘earliest’ prestate reachable by 
the current one, and uev is a set of eventuality formulae in negation normal 
form. It represents the unfulfilled eventualities of the current branch. 

A prestate is said to be a state if F is of the form A, X E, that is, if F consists 
only of elementary formulae. 

According to the above definition, F \ Ev ; Br \ (n, uev) is the extended notion 
for an abstract prestate. To focus on the locally relevant parts of a prestate, we 
use ‘. . .’ for the ‘unimportant’ parts (e.g. F\ ... | ... ). If ‘. . .’ appears at the 
same position in the numerator and the denominator (s) of a rule, then we mean 
that the corresponding parts are the same. 
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Definition 15. The Tableau calculus PLTLt is defined as follows: 

a) Terminal rules: 

false, P \ Ev ] Br\ (len{Br), {false}) (false) 

P, -•P, P\Ev] Br\ (Zen(iJr), {false}) (contr) 

A,X E \ Ev, Br\ (k, uev) (loop) 

where in (loop) there exists an i, 1 < f < len{Br), such that: 

1. A,XE= Br[i]i. 

2. k = i—1 and uev = {CU D \ CU D G E and D ^ 

b) a-rules: 

■■■I ■■■ . ^ 

ai,a2,r| ... I ... 

AV B,P\ . . . ; i?r I (n, uev) 

c) P-rules: A,P \ Br\{m,uevi) B,P\...; Br\{n 2 ,uev 2 ) 



CU D, P \ Ev ] Br \ {n, uev) , . 

D,P\EvU{D}; Br\{ni,uevi) C,X{CU D), P \ Ev ; Br\{n 2 ,uev 2 ) 



d) 



where in (V) and {U) : 

1. n = min(ni, ri 2 ) • 

2. (m := len{Br) — 1). 

'0 

{false} 

uevi 



uev 



uev2 



{ uevi n uev2 
Nexttime rule: 



if uevi = $ or uev 2 = 0, 

if > m and ri 2 > m {and uev\ 0, uev 2 0), 

if n\<m and ri 2 > m {and uev 2 0), 

or if uev 2 = {false}, 

if ni > m and ri 2 < m {and uev\ 0), 

or if uevi = {false}, 

otherwise. 



A,XE\Ev, Br\ ... 

E\%- Br*{{A,XE),Ev)\ ... ^ 



In order to ensure termination, the a- and /3-rules and the nexttime rule are 
restricted to prestates that are not instances of a terminal rule. We call a in 
{a), Ay B in (V), and CU D in {U) the decomposed formula of the respective 
rule. 



Remark 1. 

— The main difference to a modal calculus is the result part which is synthesized 
bottom-up (from children to parents). It is needed because a single branch 
need not be ‘open’ or ‘closed’; it may be ‘open’ in connection with some 
other branches. 

— (loop): The sequence Br[i]x,. . . ,Br[len{Br)]i,{A,XE) corresponds to the 
loop of a branch, uev is defined to be the set open,^f ., .) of eventualities 
that are not satisfied on this loop branch (see proposition 2). 
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— (/3-rules): A /3-rule corresponds to a branching of the tree, n is set to the 
minimum depth of the states to which branches of the two subtrees can loop 
back, uev is the minimal set of eventualities that are left open by any infinite 
path visiting only loops of the subtree below this /3 node. 

~ (Nexttime rule): The current state and the eventualities that are satisfied by 
the current state are appended to the branch Br. 

— Note that the sets F, A, and E may be empty. For instance, if E is empty in 
the numerator of (X), we obtain the following fragment of a tableau which 
ends in a basically empty instance of (loop) . On the right the corresponding 
model is shown. 

A\ Ev ■, Br I . . . 

Br* {A, Ev)\ ... ^ 

0 I 0 ; Br * (A, Ev) * (0, 0) | {len{Br) + 1, 0) (loop) 




Definition 16. A tableau for a prestate ps is a tree of prestates with root ps 
and where the sons of a node (prestate) correspond to an application of a PLTLt 
rule to the node. We say that the tableau is expanded, if each leaf node is an 
instance of a terminal rule. 

Let A be a formula and n the number of subformulae of A. Then it is clear 
that any tableau for A \ ... | ... is finite. There are many subsets of cI{A)LI 
cl{A). Each T of a prestate F \ ... | ... is such a subset, and since the terminal 
rules must be applied whenever they can be applied, the number of different 
prestates on each branch is finite. Therefore, the total number of prestates in 
any tableau for A\ ... | ... is finite and any expansion will eventually terminate. 

Proposition 3. 

a) For every formula A there is an n € N and a set uev C Fml such that there 
is an expanded tableau for A | 0 ; Br\{n, uev). 

b) If in a tableau the set uev of a prestate is empty , then the set uev of the root 
of the tableau is also empty. 

Example F We show the essential branch of a tableau for the satisfiable property 
G Fp A G F->p (recall that Fp can be written as trueWp). The a- and /3-rules 
are applied until we reach a state with only elementary formulae. The currently 
decomposed formula is in parentheses. It is left to the reader to fill in the missing 
Save and Res parts. 



(GFpAGF^p)l ... I ... 

(GFp),GF^p| ... I ... 
Fp,XGFp,(GF^p)| ... I ... 

(Fp),XGFp,F^p,XGF^p| ... | ... 

p,XGFp,(F^p),XGF^p|{p}; .| ... Subi 

p,^p,... p,XGFp,XF^p,XGF^p|{p}; .| ... 

(GFp),F^p,GF^p| ... I ... ^ 

Fp,XGFp,F^p,(GF^p)| ... I ... 
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(Fp),XGFp,F^p,XGF^p| ... | ... 

Sub2 XFp,XGFp, (F^p),XGF^jj| | 

XFp,XGFp,-.p,XGF^p|{->jj}; .| ... Subs 

Fp,(GFp),GF^p| ... I ... ^ 

Fp,XGFp,(GF^p)| ... I ... 
(Fp),XGFp,F^p,XGF^p| ... | ... 

P,XGFp,(F^p),XGF^p|M; .| ... Sub4 

p,-.p,... p,XGFp,XF-.p,XGF-.p| ... I (0,0) (loop) 



The highlighted prestates above the ( X ) ’s are the states of the tableau; the 
first one (at ‘state’ depth 0) satisfies p and the second one satisfies -ip. The 
essential branch ends in an instance of (loop) , where in the Res part the 0 refers 
to the depth 0 of the first state and the 0 indicates that all eventualities (the 
only candidate to check stems from XF-ip) are satisfied on this loop. Subi ,..4 
stand for other branches in the expanded tableau. 

i 1 

The corresponding model is very simple: 




Definition 17. The loop tree T = {W, S, L, R) for an expanded tableau is 
defined in the following way: 

1. S is the set of all states (not prestates!) of the tableau and the set of leaf 
nodes which are not instances of (loop). 

2. W is the set of paths (in terms of S) to the elements of S in the tableau. 

3. R: 

a) {w, ws) is in R for all w, ws € W. 

b) (ws,ws) is in R if s is an instance o/ (false) or {contr). That is, we draw 
a loop to the last state itself if it is inconsistent. 

c) IfwGW is a path to a state which is the last state before an instance of 
(loop) in the tableau, then w must be of the form w'sw" where s is the 
referenced loop state. Then (w,w's) is in R. 

4-. L{ws) is the set T if s = T \ ... | ... plus all the formulae that are decom- 
posed in the tableau between w and ws. 

We could also (formally) omit the classical contradictions from the loop tree 
(and the states which have only contradictory prestates below), and we would 
obtain a pre-Hintikka-tree. However, the relevant information is always in the 
result part. 

Lemma 3. Let T = {W, S, L, R) be the loop tree for an expanded tableau. Then 
we have for all ws € W, s = A,X U j Ev ; Br j (n, uev) : 

a) L fulfills (PCO-3) and (LC) for ws if s is not an instance o/ (false) or (contr). 

b) depth.y-(r(;s) = len{Br). 

c) n = min({depth. 7 -(z;) \v is a loop state of a branch tt = . . . ws . . .}. 

d) The subtree ofT at ws is isolated iff n > len{Br). 
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Proof. Follows from the definition of the calculus and Definition 17. The part d) 
follows from b) and c) and Lemma 1. 

Note that the /3-rule applications in the tableau are between two states. The 
lower state is at depth len{Br). The conditions in the /3-rules, however, control 
the result synthesis for the upper state which is at depth len{Br) — 1. 

Theorem 3 (Correctness). If A is a formula in negation normal form and if 
there exists an n such that there is a expanded tableau for | 0 ; [] | (n, 0), then 
A is satisfiable. 

Proof. (Sketch) We basically show that for any prestate ps = . . . \ ... | (n, uev) 
in the tableau with uev yf {false} there is a pre-Hintikka structure Ups = (S,L) 
for A with open{S, L) = uev. We represent the pre-Hintikka structure as a loop 
tree with one single branch tt starting with the path that leads to ps. We proceed 
bottom-up, that is, by induction on the depth of the tableau subtree with root ps. 
The main case involves a linearization of two loops into a single one as depicted 
in Fig. 2 (the capital letters denote sections of the path). Lemma 2 ensures that 
the set of open eventualities is the intersection of the corresponding sets of the 
two loops, according to the condition in the /3-rules. 





Fig. 2. Loop linearization. 



Lemma 4. Let T = (W,S',L',R) be the loop tree for an expanded tableau for 
A I 0 [] I (riA, uev a). Then we have: If there is a infinite path tt through T with 
open{TT,L) = 0, and if L fulfills (PCO-3) and (LC) on tt, then uev a must be 0. 

Proof. (Sketch) We use Lemma 2, 1 and Lemma 3 b),c) and proceed by induction 
on the depth of the subtree visited by tt. 

Theorem 4 (Completeness). If a formula A in negation normal form is sa- 
tisfiable, then there exists a tableau for H | 0 ; [] | (n, 0) for some n G N. 

Proof. If A is satisfiable, there exists a complete Hintikka structure TL = {S, L) 
for A by Theorem 1. Let S be the sequence SpSi • ■ • > and let T = {W, S', L', R) be 
the loop tree for an expanded tableau for A | 0 [] | (n, uev). We define inductively 
a map (p : S ^ W which provides us with a path tt = ip(so)Lp{si) . . . through T 
with the following properties: 
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(a) A G L'{(p{si)) if z = 0. 

(b) L'{(p{si)) C L(sj). 

(c) If CU D € L'{(p{si)) and D G L{si), then D G L'{ip{si)). 

z = 0: First, A is in L'{w) for every root w & W since the loop tree stems 
from a tableau for A \ ... | . . ., and A is also in L{so), since TL is a Hintikka 
structure for A. Second, there must exist a root wq & W with L'{wo) C L{sq) 
since in the tableau there is a root state for each possible decomposition of A, 
and F(so) must contain at least one set of decomposed formulae (F(so) contains 
A and L fulfills (PC2) and (PCS)). Third, we can choose a wq so that for each 
CUD G L'{wo) with D G L{sq) the decomposition {CUD,D} rather than 
{CU D,X{CU D)} is a subset of L'{wq). Set ifi(so) = wg- 

z — >■ z + 1: Assume that we have defined the map up to (p{si). We define 
the sets next := {C | XC G L{si)} and next' := {C | XC G L'((/?(si))}. We 
know that next C L{si+i) since L fulfills (LC), and that for every successor w 
of next' C L'{w) (see the (X) rule of PLTLj'). Moreover, because of (b), 
we have next' C next. Again, since in the tableau there is a successor for each 
possible decomposition of next' , and since L{si+\) must contain at least one 
decomposition, there must exist a zci+i G W so that (b) and (c) are fulfilled if 
we set (/?(si+i) to Wi+\. 

Obviously, L' fulfills (PCO-3) and (LC) on tt = (^(so)</?(si) .... Suppose now 
that there exists an eventuality CU D G open{TT,L'). Then there exists a state 
<p{si) so that CUD G L'{(f{sj)) and D ^ L'{(p{sj)) for all j > i. However, 
because of (b) and (c) this would mean that CUD is in open{S,L) as well, 
which is a contradiction. Applying the previous lemma 4 concludes the proof of 
the theorem. 

5 Conclusion 

We have presented a new one-pass tableau calculus for PLTL which works, as 
most modal calculi, on trees rather than graphs . The representation is minimal 
but complete, that is, it can be used directly as the basis for a decision procedure 
without a second phase. It has inherent advantages compared to previous appro- 
aches: 1. Only one branch needs to be considered at any one time. This makes 
it into a natural candidate for parallelization. 2. A simple linearization of loops 
allows to actually extract linear models in a canonical way. Having the details 
of the eventuality checking incorporated in a formal way, the calculus is also a 
good starting point for theoretical investigations, for instance the verification of 
pruning techniques. These are certainly simpler to check when the underlying 
structure is a tree. A decision procedure based on PLTLt has been implemented 
and tested and will be publicly available as a part of the Logics Workbench [10] 
version 1.1. 
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Abstract. We present two constructive proofs of the decidability of in- 
tuitionistic propositional logic by simultaneously constructing either a 
counter-model or a derivation. From these proofs, we extract two pro- 
grams which have a sequent as input and return a derivation or a counter- 
model. The search tree of these algorithms is linearly bounded by the 
number of connectives of the input. Soundness of these programs follows 
from giving a correct construction of the derivations, similarly to Hudel- 
maier’s work [7]; completeness from giving a correct construction of the 
counter-models, inspired by Miglioli, Moscato, and Ornaghi [8]. 



1 Introduction 

Intuitionistic proofs can be considered as programs together with their verifi- 
cation. Consequently intuitionistic logic is a method for developing correct pro- 
grams. To demonstrate the advantage of this approach, we construct two theorem 
provers for the propositional part by extracting them from a decidability proof. 

Taking up Fitting’s [2] completeness proof, Underwood [12] outlined how a 
decidability proof could be implemented in a formal system like NuPRL. For 
this, she proved that each set of sequents either contains a provable one or has 
a Kripke model so that each sequent is refuted at a certain node. The sequents 
themselves correspond to the nodes of a tableau. The proof is by induction on 
the nnmber of formulas which can be added to the set of sequents, corresponding 
to a tablean rule. Underwood’s extracted program has a sequent as input and 
retnrns a derivation or a counter-model. Her program uses a loop-check and 
tries to construct bottom-up a repetition-free derivation in a sequent calculus, 
similarly to the decision procedure already given by Gentzen [3] . 

To avoid a loop-check, contraction-free sequent calculi were introduced by 
Hudelmaier [6] and Dyckhoff [1], rediscovering the work of Vorob’ev [13]. The 
main idea of their completeness proof is that every derivation in a seqnent cal- 
culus can be transformed so that every left premise of a left rule for implication 
(L-D in our notation below) is either an axiom or the conclusion of a right rule 
(R-. . .). Formalising their proof would be a thankless and hard task. Fortunately, 
Miglioli, Moscato, and Ornaghi [8] gave an alternative completeness proof of a 
similar system by constructing a Kripke model. Hudelmaier developed his cal- 
culus further and gave an 0(nlogn)-space algorithm [7]. 

H. de Swart (Ed.): TABLEAUX’98, LNAI 1397, pp. 292-306, 1998. 
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In Sect. 4, we give a new proof of the decidability of the intuitionistic propo- 
sitional logic. For this, we show that for every sequent there is a derivation or 
a counter-model. We simultaneously construct a derivation, taking up Hudel- 
maier’s approach [7], or a counter-model, simplifying Miglioli, Moscato, and 
Ornaghi’s idea [8]. The extracted algorithm has a sequent as input and returns a 
derivation or a counter-model. The height of the search tree of this algorithm is 
linearly bounded by the number of logical connectives of the input. Indeed, our 
algorithm restricted to derivability coincides with Hudelmaier’s [7] . In addition, 
our algorithm terminates faster than the algorithms for refutability presented 
by Pinto and Dyckhoff [9] and Hudelmaier [4, 5], the search tree of which is only 
exponentially bounded. 

In Sect. 5, we describe how the counter-models constructed during the search 
can be used to prune the search space. 

In Sect. 6, we present an alternative proof of decidability. The algorithm de- 
scribed by this proof is completely different. Whereas the algorithm of Sect. 4 
examines the premise A of implications A D i? in the left-hand side of the se- 
quents, the one of Sect. 6 looks at the right-most conclusion P of the implications 
Tip D ... D An D P and selects this formula only if the right-hand side of the 
sequent coincides with P, similarly to the search strategy of Prolog. This al- 
gorithm turns out to be faster with sequents which are hard on the algorithm 
presented in Sect. 4; and vice versa. Thus it might be useful to have several 
algorithms. 

Since our proof is rather simple and elementary, formalising this approach 
seems promising. Indeed the D-fragment is formalised in the system MiNLOG [10]. 

2 Notation 

We use P, Q to denote atomic formulas and A, B , to denote formulas. For- 
mulas are generated by atomic formulas, the falsum T, implications A D B, 
conjunctions AaB, and disjunctions Ay B. Negation ^A is treated as an ab- 
breviation for D T. Lists of formulas are denoted by P, A and sequents by 
P^ A. 

To avoid some parentheses, we write A D B D C instead ot A D {B D C) , 
A A B C instead of {AaB)d C, and Ay B D C instead of (A V P) D C. 

2.1 Counter— Models 

For an introduction to Kripke models, see e.g. Troelstra and van Dalen [11]. A 
Kripke model /C is a tripel (AT, <,ll-), where AT is a non-empty set of worlds 
denoted by k. We list the properties we need: 

- fc 1/ T. 

- fc Ih AA P iff fc Ih A and fc Ih P. 

- fcih AvPifffclh Aor fclhP. 

- fc Ih A D P iff fc' Ih A implies k' Ih P for all k' > k. 
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— li k\\- A and k' > k then k' \\- A (monotonicity). 



We extend the relation Ih in a natural way to lists and write k\\- F \i k\\- A 
for each A G F. 

Since k \\- A cannot be assumed to be decidable, we have to specialise our 
semantics. A Kripke tree is a non-empty, finite, and finitely branching tree, the 
nodes of which are labelled by finite sets L of atomic formulas. We use (A,/C) 
to denote such a node, where JC are its successors. A Kripke tree defines a tripel 
(K, <,ll-) by taking K as the set of the nodes, < the transitive and reflexive 
closure of the successor relation, and by {L,IC) \\- P iS P G L. A Kripke tree is 
a Kripke tree model if the associated tripel (^,<,11-) is a Kripke model. 

For a Kripke model 1C — (K, <, Ih), we write /C Ih A if fc Ih A holds for each 
k G K. For a Kripke tree model this is, by monotonicity, equivalent to “the root 
node forces A”. Hence “a node {L,JC) forces A” coincides with “a tree having 
the root (A, JC) forces A” . Furthermore, every node of a Kripke tree model is a 
Kripke tree model itself. Thus we identify a node {L,JC) with a tree having that 
root. 

A Kripke model /C is a counter-model to F ^ Alt JC\\- F and JC 1/ A. In this 
case we call the sequent F A refutable. 

We will later use the following lemmata to construct a Kripke tree model 
and to compute (L,JC) \\- Ad B inductively. 



Lemma 1. (L,JC) is a Kripke tree model iff for each JC gJC, JC is Kripke tree 
model, and JC\\- L. □ 



Lemma 2. Let (L,JC) be a Kripke tree model. {L,JC) \\- A D B if and only if 
{L, JC) Ih A implies (L,JC) Ih B, and JC\\- Ad B for each JC gJC. □ 



2.2 Derivations 

The proofs in the following sections can easily be carried out by any notation for 
derivations for the intuitionistic logic. Instead of fixing a notation for derivations, 
we list the neccessary properties by giving some rules in Fig. 1. These rules 
have to be read constructively: for each instance of the rule, we can compute a 
derivation of the conclusion from derivations of all premises. In that case, we say 
a rule preserves derivability. 

3 Invertibility 

In this section, we will summarise some simple properties of propositional intu- 
itionistic logic so that we can focus on the essence in the next section. 

A rule is called invertible iff for each instance of the rule, the derivability of 
the conclusion implies that of all premises. It is well-known that most of the rules 
are invertible. Although it is not hard to prove this (by induction on derivations), 
we will not use invertibility. Instead, we will work with a semantic notation. We 
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Ay 

r,p,A^ p 



P,±,A^ A 



Efq 



A,P^B^ P,AdB,A^A P,B,A^C^ 

K-D L-D 

P^ Az)B P,AZ) B,A^ C 



r ^ A — P ^ B 
P^ AaB 



P,A,B,A^C , , 
P,AaB,A^C 



A P^ B P,A,A^C P,B,A^C 

P^AwB P^AwB P,AvB,A^C 



P,A^ A P,A,A^ B ^ 

— ! — ! cut 

P,A^ B 



P,A^B 
P,A,A^ B 



weakening 



Fig. 1. 



say a rule preserves refutability if for each instance, given a counter-model to 
one premise, we can compute a counter-model to the conclusion. 

Invertibility and preservation of refutability have a close connection. We sup- 
pose soundness for a moment. As soon as we have proved completeness, invertibil- 
ity will imply preservation of refutability. As soon as we have proved decidability, 
preservation of refutability will entail invertibility. 

Each rule we introduce and which preserves refutability turns out to satisfy 
the following stronger property, which is very easy to verify. 

Definition 3. A rule preserves counter-models if for each instance, a counter- 
model to at least one premise is also a counter-model to the conclusion. 



Lemma 4. The rules R-D, R-A, L-A, and L-V preserve counter-models. □ 



We will eliminate formulas of the form JlaB on the left-hand side of sequents. 
For this, we introduce the following rule: 



r,A^ A 
r,±D B,A^ A 



l-ad 



Lemma 5. L-Ad preserves derivability and counter-models. □ 

Furthermore, proofs become slightly shorter if we replace Bq A B\ A C \yy 
BqABiAC and Bq \J B\ A C hy Bq A C and B\ A C. For this, we take the 
following rules already introduced by Vorob’ev [13]. 

r,BpAB^AC,A^ A ^ r,BpAC,BiAC,A^ A ^ 



r,BpABiAC,A^ A 



r,BoV Bi A C,A^ A 
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Lemma 6. L-AD and L-VD preserve derivability and counter-models. □ 

The following linear degree w will be used in the proof of decidability. 

Definition 7. For formulas we define 

w{P) := tc(-L) := 0 
w{A Z) B) := 1 + w{A) + w{B) 
w{A A B) := 2 + w{A) + w{B) 
w{A V B) 3 + w{A) + w{B) . 

For lists of formulas we define w{Bi, . . . , Bn) := w{Bi) + . . . + w{Bn) and for 
sequents w{F ^ A) := w{F) + 

Each instance of any premise of the rules R-D, R-A, R-V, L-V, L-_Ld, and 
L-AD has a smaller rc-degree than the corresponding instance of the conclusion. 
This does not hold for L-VD if the instance of C is a composed formula. To avoid 
this, we use the following rule: 



T, B Z) R, P Z) 67, A A 
F,BdC,A^ A 



provided P does not occur in the conclusion. 



Lemma 8. L-S preserves derivability and counter-models. 

Proof. For derivability see Hudelmaier [7]. Obviously, L-S preserves counter- 
models. □ 



Now combining L-VD and L-S 



F,BqDP,B,dP,PdC,A^ A ^ 

F, Bo V Bi D P, P D C, A ^ A ^ ^ 

F,Boy BiZt) C,A=> A 

we verify that each instance of the upper sequent has a smaller rc-degree than 
the lower sequent. 

At first sight, the rule L-S appears to increase the non-determinism by re- 
placing one formula R D 67 by two formulas B D P and P D C, but, as it turns 
out, the second formula will only be considered if B is derived. 

In general, the rules L-D and R-V are neither invertible nor do they preserve 
refutability or counter-models. L-D is known to be semi-invertible, i.e. for each 
instance, the derivability of the conclusion F, Ad B, A ^ C implies that of the 
right premise F,B,A ^ 67. We will not use this property; instead, we will use 
the following property. 

Lemma 9. If K. is a counter-model to F,B,A^ 67, then also to F, Ad B, A ^ 
67. □ 

In the case that the premise of an implication is atomic and is in the left-hand 
side already, we get the following rule(cf. Hudelmaier [6,7] and Dyckhoff [1]). 



F,C,A^ A 



F,PdC,A^ A 



L-PD, provided P G F, A 




Decision Procedures for Intuitionistic Propositional Logic by Program Extraction 297 



Corollary 10. L-Pd preserves derivability and counter-models. 

Proof. By L-D and Ax, we get that L-Pd preserves derivability. Lemma 9 says 
that L-Pd preserves counter-models. □ 

The above section can be summed up in the next lemma applying the fol- 
lowing dehnition, which is an extension of Dyckhoff’s [1]. 

Definition 11. A sequent P ^ A is called irreducible if P contains only atomic 
formulas^ , or formulas of the form Pd B where P is not in P, or else formulas 
of the form (PoDPi)dC'. Furthermore, we require that A is either a disjunction, 
or falsum, or else an atomic formula not in P. A sequent is called reducible if 
it is not irreducible. 

Thus a sequent P ^ A is irreducible iff P A is neither an instance of a 
conclusion of one of the counter-models preserving rules introduced so far(L-S 
only if P is a disjunction and C is a composed formula), nor an instance of a 
conclusion of Ax and Efq. We will sometimes denote a sequent by S. 

Lemma 12. For each reducible P ^ A one can find Si, ... ,Sn such that 

(a) w{Si) < w{P ^ A) for each i. 

(b) If each Si is derivable, then so is P ^ A. 

(c) If K. is a counter-model to at least one Si then also to P ^ A. 

Proof. Case P = Pq, Pq APi, P2. Let 5i, ^2 be the left respectively right premise 
of L-A where Pq A Pi is the principal formula, (a) is obvious, (b) holds since L-A 
preserves derivability, and (c) holds because L-A preserves counter-models. 

Case P = Pq, (Pq V Pi) D C, P2. If C is a composed formula, then we proceed 
by combining L-VD and L-S as described above. If C is atomic or T, we obtain 
our statement by L-VD. 

The remaining cases follow similarly using the corresponding rules, all of 
which preserve counter-models. □ 

By a similar proof, we obtain a variant of the previous lemma, which will be 
motivated in Theorem 16. 

Lemma 13. Let A be a disjunction and B an arbitrary formula. For each re- 
ducible Pi, P2 A one can find Si, . . . ,S„ such that 

(a) The left-hand side of each S has a smaller w-degree than Pi, A D P, P2. 

(b) If each Si is derivable, then so is Pi, Ad P,P2 A. 

(c) If K. is a counter-model to at least one S then also to Pi, Ad B, P2 A. 

(d) Each Si is of the form Piy, A D P, P2,i ^ A. □ 



Note that T is by definition not atomic. 



1 
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4 Forward chaining 

How can we deal with the implication in the context F, A D B, A ^ C? One 
tactic is to search for a derivation of F, A D B , A ^ A and then to go on with 
F,B,A^ C. This can be called forward chaining. The problem is how to enforce 
termination without destroying completeness. 

The first premise F, Ad B, A ^ A has a particular form: the right-hand side 
A occurs as a premise of an implication on the left-hand side. If 4 is a composed 
formula, then, as observed by Hudelmaier, the problem can be reduced to a 
smaller one of the same form. For this, he introduced the rules G/2^, G/2A, 
and GJ2V in [7]. We rename G/2^ to L2-DD and G/2A to L2-AD. In G/2V, the 
rule L-S is incorporated. We separate L-S and call the remaining part L2-VD. 



dp, F,AiPB,A^ Ai L2-DD 

F, (Ho dAi)dB,A^AoD Ai 

F,AqD B,A^ Aq F,AiDB,A^ Ai 
T, Hq a Ai Z) B ^ a ^ Hp A Ai 



F, AqD B,AiZ) B,A^ Ai 
F,AoVAiZ)B,A=>Ao\/ Ai 



L2-VDi, where i € {0, 1} 



Lemma 14. L2-DD and L2-AD preserves derivability and counter-models, L2- 
VD preserves derivability (only). 

Proof. To see that L2-DD preserves derivability, use cut and a derivation of 
Ho, (Hp D Hi) D B ^ AiD B. To see that L2-AD preserves derivability, use cut 
and a derivation of (Hp D B) D Hp, (Hi D B) D Hi, Hp A Hi D i? ^ Hp A Hi. To 
prove that L2-VD preserves derivability, combine R-V and L-VD. 

The proof that L2-DD and L2-AD preserve counter-models is easy and is 
therefore left to the reader. □ 

Note that L2-VD is neither invertible nor refutability-preserving. 

How can we deal with the implications P D A where P is atomic? If P is 
in the left-hand side, we apply L-Pd. What do we have to do if P is not in 
the left-hand side? Then we need not consider these formulas, as the following 
lemma shows. This was already observed by Vorob‘ev [13], but we give a much 
simpler proof. 

Lemma 15. Let F => A be an irreducible sequent. Let 1C be Kripke tree models 
so that JC' \\- F for each 1C e 1C, and for each formula (Lf) D Pi) D G in F there 
is a counter-model in 1C to F ^ BqZ) B\. Furthermore, if A is a disjunction 
Hp V Hi, then suppose that there are counter-models Kf, ICi in 1C to F ^ Hp, 
P Hi respectively. Then JC := ({P : P G P},1C) is a counter-model to F ^ A. 
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Proof. As K! Ih P implies 1C Ih {P : P G P}, Lemma 1 provides that /C is a 
Kripke tree model. 

Let D G P. We have to show 1C Ih D. Since P ^ A is irreducible, D is either 
an atom, or an implication B D C where B is either Bq D Bi, or else an atom 
not in P. If D is an atomic formula, then D G {P : P G P} and hence /C Ih D. 
li D = B D C, then by Lemma 2 and because of /C' Ih P, it is sufficient to show 
that 1C \\- B implies 1C Ih C. We show 1C 1/ B. If B is an atom not in P, then 
B {P : P G P} and hence 1C 1/ B. Otherwise B — Bq Gi Bi and there is a 1C 
in 1C such that IC 1/ B, implying /C 1/ i? by monotonicity. 

It remains to show IC 1/ A. Since P ^ Ais irreducible, A is either an atom not 
in P, or _L, or an disjunction Aq\/ Ai. In the first case we have A ^ {P : P G P} 
and hence /C 1/ A. If A = _L, then /C 1/ A by definition. Otherwise A = Aq V Ai. 
Here there are /Cq,/Ci G IC where ICi 1/ A^. By monotonicity we get IC 1/ Aq and 
/C 1/ Ai. Hence /C 1/ Aq V Ai by definition. □ 

Particularly, if P ^ P/_L is irreducible and P does not contain formulas of 
the form {Bq D i?i) D C, then ({P : P G P}, e) is a counter-model to P ^ P/C. 
The previous lemma is the computational content of the refutation rules 

P Pi D Cl ■ ■ ■ P yC B„DCn Q 
P yC P/P 

PyC BiDCi ■■■ PyP BnPCn PyC Aq P y» Ai ^ ^ ^ 

P yA Aq V Ai 

provided that P ^ P, P _L, and P ^ Ag V Ai respectively, are irreducible, 
and where (Pi D Ci) D Pi, . . . , (P„ D C„) D P„ are all nested implications in P. 
Separating L2-DD from the rule (11) given by Pinto and Dyckhoff [9], our rules 
coincide with a non-multi-succedent version of theirs. While Pinto and Dyckhoff 
work with the rules themselves, we work with the computational content of the 
rules. Thus we do not have to construct the counter-models in a second step, 
unlike the approach of Pinto and Dyckhoff. 

Now we are ready to prove the decidability of the intuitionistic propositional 
logic. This will be done in part (i) of the following theorem. For the proof, we 
also need part (ii). Note that in (ii) the right-hand side of the sequent does not 
contribute to the rc-degree. 

Theorem 16. Let n be any natural number. 

(i) Each P ^ A with w{P,A) < n has either a derivation or a counter-model. 

(ii) Each Pi, A D P, P 2 A with w{Pi,A D P, P 2 ) < n has either a derivation 
or a counter-model. 

Proof. We proceed by simultaneous, progressive induction on n, i.e. let n be 
given and we are allowed to use the induction hypothesis for (i) and (ii) for 
all m < n. First we prove (i), then we prove (ii). We write IH for “induction 
hypothesis” . 
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As for (i), we proceed by case analysis on whether (1) the sequent is reducible, 
or (2) the sequent is an instance of Efq or Ax, or (3) the IH(ii) on the left premise 
of an instance of a combination of L2-DD and L-D yields a derivation for at least 
one formula (i?o D i?i) D C of A, or (4) A is a disjunction and the IH(i) on at 
least one premise of R-V provides a derivation, or else the remaining case. 

Case 1. r ^ A is reducible. Let 5i, . . . ,5„ be the sequents obtained from 
Lemma 12. The IH(i) on each Si yields either a derivation for all Si or a counter- 
model to at least one Si. In the first case, we get a derivation of T ^ A by (b) of 
Lemma 12. In the second case, we have already got a counter-model to T ^ A 
according to (c) of Lemma 12. 

Case 2. J- G r or A is atomic and in F. Here we get a derivation by Efq or 
Ax respectively. 

Case 3. For a partition F = F\, {Bq D Bi) D C, F 2 the IH(ii) on Bq, Fi,Bi D 
C, J 2 Si yields a derivation. Here we apply L2-DD to obtain a derivation of 
Fi, (Bo D Bi) D C, F 2 ^ Bo D Bi. Moreover, the IH(i) on Fi,C,F 2 ^ A yields 
a derivation or a counter-model. In the first case, L-D provides a derivation of 
E ^ A. In the second case, we have already got a counter-model to that sequent 
by Lemma 9. 

Case A = Ao V Ai and the IH(i) on E ^ Aq or on E ^ Ai yields a 
derivation. Here, R-V provides a derivation of E A. 

Remaining ease. For every partition E = Ei, (Bq D Bi) D C, E 2 the IH(ii) 
yields a counter-model to Bq,Fi,Bi D C, E 2 ^ Bi and if A = Aq V Ai, the 
IH(i) on both E ^ Aq and F ^ A\ also yields two counter-models. Let JC be all 
these counter-models. Since L2-DD preserves counter-models, counter-models 
to Bq,Fi,Bi D C, E 2 Bi are also counter-models to E ^ BqD Bi. Hence, by 
Lemma 15, ({P : P G E},/C) is a counter-model to E ^ A. This completes the 
proof of (i). 

As for (ii) we proceed by case analysis on the form of A. 

Case A atomic or T. As we have already proved (i) for n, we can apply (i) 
to the sequent Fi, A Z) B, F 2 => A. 

Case A = Aq D Ai. The IH(ii) on Aq, Ei, Ai D B, E 2 Ai yields a derivation 
or a counter-model. Since L2-DD preserves derivability and counter-models, we 
obtain a derivation of Ei, Aq A Ai D P, E 2 Aq A Ai or we have already got a 
counter-model to that sequent. 

Case A = Aq A Ai. Similarly using L2-AD. 

Case A = Aq V Ai. Here we have to consider similar cases as in (i). 

Subease 1. Ei,E 2 A is not irreducible. Let 5i,...,5„ be the sequents 
obtained from Lemma 13. The IH(ii) on each Si yields either a derivation for all 
Si or a counter-model to at least one Si. We proceed as in (i) case 1. 

Subease 2. F G F or A is atomic and in E. Analogously to (i) case 2. 

Subease 3. For a formula (Co DCi) dP of Ei, E 2 , the IH(ii) yields a derivation 
as in (i) case 3. We proceeds as in (i) case 3, replacing “IH(i)” by “IH(ii)”. 

Subease ^a. B is atomic or T and the IH(ii) on Ei, Aq D B, Ai D P, E 2 ^ Aq 
or on El, Aq D P, Ai d P, E 2 Ai yields a derivation. Then L2-VD provides a 
derivation of the sequent under consideration. 
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Subcase 4b. i? is a composed formula and the IH(ii) on Ji, AqDP, AiDP, Pd 
B, P2 ^0 or on Pi, Aq D P, Ai D P,P D B, P2 ^ Ai where P is a new atomic 
formula yields a derivation. Using L2-VD and L-S provides a derivation. 

In the remaining subcase we construct a counter-model as in (i), again re- 
placing “IH(i)” by “IH(ii)”. □ 

This proof describes an algorithm returning a derivation or a counter-model 
for a sequent P => A. The algorithm consists of two parts, say search(i) and 
search(ii). After applying bottom-up all rules preserving counter-models, if the 
new sequent is not an instance of the conclusion of the rules Ax or Efq, search(i) 
picks up all the formulas (Pq D Pi) D C one after the other and applies search(ii) 
to Pq, Pi, Pi D C, P2 Pi where P = Pi, (Pq D Pi) D C, P2. If a derivation is re- 
turned for one of these sequents, search(i) is called on Pi, C, P2 ^ A. Otherwise, 
search(i) tries to apply R-V; if this does not succeed either, a counter-model is 
returned. 

Search(ii) applies L2-DD and L2-AD until A is an atom or a disjunction 
AqV Ai. In the first case, search(i) is applied. In the second case, all nested 
implications are picked up as in search(i), and if this fails, L2-VD is tested (if P 
is a composed formula, only in combination with L-S ) . If this does not succeed 
either, a counter-model is returned. 

Immediately, we see that the number of recursions is bounded by twice the 
ic-degree of the input sequent. If we do not count the call of search(i) in search(ii) 
on the identical sequent, the number of recursions is even bounded by the w- 
degree of the input. Hence we obtain the following estimate. 

Corollary 17. If a sequent P ^ A is refutable, then the algorithm described 
above returns a counter-model with height less than w{P A) -f 1. □ 

While Hudelmaier [7], and Pinto and Dyckhoff [9] essentially proved com- 
pleteness and termination for their calculi LF, LJT* respectively, allowing one 
to extract a decision algorithm for intuitionistic propositional logic, the present 
work starts off with a proof of decidability from which one can read off a deci- 
sion procedure. However, when dropping the task of producing counter-models, 
this decision procedure coincides with that for LF. Furthermore, if we proved 
decidability using the computational contents of the rules given by Pinto and 
Dyckhoff, we would obtain an algorithm similar to that for LJT*, when dropping 
counter-models, and similar to CRIP, when dropping derivations. 



5 Pruning the search tree 

In contrast to Underwood’s [12] approach, where the counter-model is con- 
structed after the whole search fails, the present approach constructs local coun- 
ter-models during the search. These local counter-models can be used to reduce 
the non-determinism. For example we consider (cf. Fig. 2) an irreducible se- 
quent {Bq D Bi) D B 2 , P, {Do D Di) DD 2 ^ A. To derive that sequent, we select 
(RqURi) Di?2 and search for a derivation of (RqURi) Di?2, P, {DqDDi)dD2 ^ 
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BqD Bi. Now L2-DD reduces this to the search for Bq, Bi D i? 2 , B, {Dq D Di) D 
D 2 ^ Bi. For simplicity, we assume that B\ is atomic and that the sequent is 
irreducible. Furthermore, we assume that selecting each formula (Cb D Ci) D C 2 
of r yields a counter-model 

/Cc to Bo, Bi D B2, r, {Do D Di) D B>2 ^ Co D Ci. 

Finally we select {Do D Di) D D 2 and apply L2-DD bottom-up. 



Do, Bo, Bi 3 B2, r, Di 3 D2 => Bi 



Bo, Bi D B2, r, D2 => Bi 



Bo, Bi Z) B2, r, {Do 3 Bi) 3 B2 => Bi 



B 2 ,r,D 



{Bo 3 Bi) 3 B2, r, {Do 3 Bi) 3 B2 
t B = (Bo 3 Bi) 3 B2 

Fig. 2. 



A 



We have to search for the sequents 

(la) Do, Bq, Bi D B 2 , r, Di D D 2 ^ Di, 

(2a) Bo, Bi 3 i? 2 , r, D 2 => Bi, and 
(3a) B2, r, {Do 3 Di) 3 I >2 ^ A. 

We assume that these sequents are irreducible. For the search we have to select 
each formula (Co 3 Ci) 3 C 2 of B again, unless we have a counter-model to 

(lb) Bo,Bi3B2,B,Bo,Bi3B2^Co3Ci, 

(2b) Bq, Bi 3 i?2, B, I?2 ^ Co 3 Cl, 

(3b) B 2 , B, {Do 3 Bi) 3 B 2 Co 3 Cl, respectively. 

Possibly fCc is a counter-model to one of these sequents; we only have to check 
if 

(l c) JCc Ih Bo,2 
(2c) /Cc Ih D 2 , 

(3c) JCc II" B 2 , respectively. 

If we do not obtain a derivation of (la) or (2a), we have to select each formula 
(Co 3 Cl) 3 C 2 of B, {Do 3 Di) 3 D 2 in order to search for either a derivation of 
or a counter-model to (Bq 3 Bi) 3 B 2 , B, {Do 3 Bi) 3 B 2 ^ Co 3 Ci. Yet, /Cc 
are counter-models to those sequents already! 

In other steps of the algorithm, we can proceed similarly. In this way, we can 
prune the search tree. To do this, we have to pass the counter-models up, left, 
and down, which cannot be done by a sequent calculus. 

Since JCc II" (Bo 3 Bi) 3 B 2 implies JCc II" Bi 3 B 2 . 



2 
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Of course, in the worst case, we have to consider the whole tree in order to 
verify that a Kripke tree model forces a formula. Thus pruning the search tree 
in this way does not always reduce the runtime for every kind of pruning. But if 
the formula contains no D, we only have to consider the root of a Kripke tree. 

Moreover, although an automatic theorem prover can handle most sequents 
very fast, an automatic theorem prover may exceed an acceptable runtime, since 
deciding intuitionistic propositional logic is PSPACE-hard. In this case an in- 
teractive prover may help the user by indicating which formulas he or she need 
not select. Here the additional runtime of checking whether a Kripke tree model 
forces a formula is almost always acceptable. 

6 Backward Chaining 

We will now give an alternative proof of decidability. The proof is much simpler 
if we restrict ourselves to the D-fragment. We will do so now. In this section, 
formulas are only generated by atomic formulas and implications. By abuse of 
notation, we use A D B to denote Ai D . . . D A„ D B, where the list A is possibly 
empty; in this case, we identify Ad B with B. In the D~fragment, every formula 
B has the form (Ai D Q\) D . . . D {Ak D Qk) D Q for fc > 0. Q is called head of B. 
Since R-D preseres derivability and counter-models, we only have to consider 
sequents where the right-hand side is atomic. 

To derive a sequent B ^ P, we want to select a formula B from the context 
r only if the head of B is equal to P. We call this backward chaining. 

We will use a generalisation of L2-AD and L2-DD: 

Ai,Pi,Qi D Q,P2 ^ Qi ... Afc,Pi,Qfc D Q,P2 =» Qfc 
Pi, (Ai D Qi) D . . . D {Ak D Qk) D Q, P 2 Q 
Note that in the case fc > 1 or fc = 1 and A\ ^ e, each premise has a lower 
w-degree than the conclusion. Also note that, in the D-fragment, w coincides 
with the total number of D’s. 

Lemma 18. L3-D* preserves derivability and counter-models. 

Proof. To prove that L3-D* preserves derivability, we assume derivations of 
Ai,Pi,QiD Q, P 2 =A Qi for each i. By induction on the length of Ai and by L2- 
DD, we obtain derivations of Pi, {Ai D Qi) D Q, P 2 ^ Ai D Qi. By induction on k 
and by L2-AD, we get a derivation of Pi, (Ai dQi) A. . .A{AkDQk)AQ, P 2 ^ Q. 
Since (Ai D Qi) D . . . D {A D Qk) A Q ^ {Ai D Qi) A . . . A {Ak DQk)AQ is 
derivable, cut yields a derivation of Pi, (Ai D Qi) D. . .D {Ak D Qk) D Q, P 2 Q. 

To prove that L-D* preserves counter-models, one either proceeds in a similar 
way, or one proves it directly. □ 

Definition 19. A formula B is a properly nested implication if B is of the 
form (Ai D Qi) D . . . D {Ak D Qk) A Q where k> 1, or k = 1 and Ai ^ e. 
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If B is not a properly nested implication, i.e. B = Qi D Q, we do not reach 
our goal completely. But we can deal with these formulas by means of a simple 
loop-check. 

Definition 20. A chain in B from Pi to P„ is a list of implications P 1 DP 2 , P 2 P' 
P 3 , . . ., P„_i D P„ where each formula Pi P Pi+i is in P. The empty list is a 
chain in P from P to P, for every P. 

Lemma 21. Suppose there is a chain in P from Pi to Pn- If P ^ Pi is deriv- 
able, then so is P ^ Pn- □ 

Definition 22. An atomic formula Pi is called significant for P ^ P if there 
is a chain from P\ to P in P . 

Lemma 23. Let Pi D P 2 G P. If P 2 is significant for P ^ Pn, then so is Pi- □ 

Now we give an alternative construction of a counter-model. 

Lemma 24. Let a sequent P ^ P and a list of Kripke tree models 1C be given. 
Let L be the set of all atomic formulas significant for P ^ P. Suppose LC\P = % 
and 1C \\- P for each KI in 1C. Furthermore, suppose that for each properly 
nested implication {Ai D Qi) D . . . D {Ak D Qk) D Q in P where Q is significant 
for P P, there is a K! & 1C such that 1C is a counter-model to P Q. Then 
K. := (Pi 7 Tieft(/C) — P, /C) is a counter-model to F ^ P, w/iere P 7 Tieft(/C) denotes 
the intersection of the labels of the roots oflC.^ 

Proof. First note that /C is a Kripke tree model by Lemma 1. Furthermore, we 
have 1C 1/ P, since P G L. It remains to show /C Ih P. Assume B G P. 

Case B is atomic. By assumption B ^ L and K1 Ih B, i.e. by definition 
B G 7 rieft(/C') for each 1C. Hence B G PlTrieft(^) — L. 

Case P = Pi D P 2 . Due to /C' Ih P for each 1C and Lemma 2, we only have 
to show that /C Ih Pi implies 1C Ih P 2 . Assume K, Ih Pi. Then by definition 
Pi G Pl 7 Tieft(^) and Pi ^ L. The former is equivalent to 1C Ih Pi for each 1C . By 
assumption 1C Ih P, particularly /C' Ih Pi D P 2 , it follows that 1C Ih P 2 . Hence 
P 2 G Pi 7 Tieft(/C). The latter is equivalent to Pi non-significant. By Lemma 23, 
P 2 is non-significant as well, i.e. P 2 ^ L. 

Case B = {Ai D Qi) D . . .D {Ak D Qk) D Q is a properly nested implication: 
By Lemma 2 we only have to show that /C Ih D Qi for each i implies 1C\\- Q. 

Subcase Q is significant. Then there is a K! so that 1C is a counter-model to 
P ^ Q. Since 1C \\- B and /C' Ih Ai D Qi for each i using monotonicity, we get 
1C Ih Q. This yields absurdity by 1C 1/ Q and hence /C 1/ Ai D Qi. 

Subcase Q is not significant, i.e. Q ^ L. Assume that /C Ih Ai D Qi for each 
i. By monotonicity K' Ih Ai D Qi for each K' and for each i. By the assumption 
1C Ih P, particularly 1C Ih B, it follows 1C Ih Q. Hence Q G P|7Tieft(^) — L, i.e. 
/C Ih Q by definition. □ 

® To avoid running into infinite sets, we interpret pTrieft(e) as the set of all atomic 
formulas occurring as sub-formulas in P A. Here a more elegant approach would 
be to work with (L,K,) Ih P iff P ^ L instead. 
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In the previous section, the labelling of the nodes was minimal in the sense 
that each label has to contain at least all atomic formulas in F. 

By monotonicity the label must be included in p| 7rieft(/C). Furthermore, the 
label must not contain any significant atomic formula. Hence, now the labelling 
is maximal. The advantage of this labelling is that the trees are smaller, since 
there are fewer possibilities to enlarge the label. To see this, note that a Kripke 
tree model with each node having identical labels is equivalent to the leaf with 
the same label; hence enlarging the label is essential. 

Now we give the alternative proof of decidability. 

Theorem 25. Each sequent F ^ P has a derivation or a counter-model. 

Proof. We proceed by progressive induction on w{F). 

Case. There is a significant Q in F. Then there is a chain from Q to P in T 
by definition. Lemma 21 provides a suitable derivation. 

Case. For a partition F = Fi, B, F 2 where B — {Ai D Q\) D . . .D {Ak D Qk) D 
Q is a properly nested implication and where Q is significant, the induction 
hypothesis on Ai,Fi,Qi D Q,F 2 ^ Qi yields a derivation for each 1 < i < k. 
Since L3-D* preserves derivability, we obtain a derivation of P ^ Q. Lemma 21 
yields a derivation of P ^ P as required. 

Remaining case. F has no significant atom and for each partition P = 
Pi,P,P 2 where B = (Hi D Q\) A ... A {Ak A Qk) A Q is a properly nested 
formula and where Q is significant, the induction hypothesis yields a counter- 
model to Ai, Fi,QiAQ, F 2 Qi for an i. Since L3-D* preserves counter-models, 
this is also a counter-model to P ^ Q. Let !C be all these counter-models. By 
Lemma 24, (pl7Tieft(^) — L,JC) is a counter-model to P ^ P. □ 

Again we extract an algorithm from this proof. It successively picks up each 
properly nested formula (Hi D Qi) A . . .A {Ak A Qk) A Q where Q is significant, 
and applies the algorithm recursively to Ai,Fi,QiA Q, P 2 ^ Qi until all recur- 
sive calls are successful. In this case we get a derivation, otherwise we obtain a 
counter-model. Pruning as described in Sect. 5 is possible here as well. 

Since treating the whole fragment would go beyond the limit of space, we 
have to omit this. 

7 Conclusion 

We have seen that developing an algorithm by extracting a program from a proof 
is not only possible, but even easier than proving that a given algorithm is sound 
and complete. The reason is that we work with the computational content of the 
rules rather than with their operational semantics. In that way, we presented a 
new aspect of Hudelmaier’s work [7]. 

8 Implementation 

The D-part of the proof of Theorem 16 is already implemented in the formal sys- 
tem Minlog [10]. In this system, we can use the modified realisability method to 
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extract an algorithm (see e.g. Troelstra and van Dalen [11]). The present version 
of Minlog requires the normalisation of the proof for extracting the algorithm. 
This means all the recursions are unfolded. Since all the case distinctions are 
implemented as boolean recursions, the program term is very large and unread- 
able. In future versions this will no longer be the case. Then, it should not take 
too much effort to implement the whole proofs of Theorem 16 and 25 and to 
extract competitive algorithms. 
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Abstract. FaCT is a Description Logic classifier which has been imple- 
mented as a test-bed for a highly optimised tableaux satishability (sub- 
sumption) testing algorithm. The correspondence between modal and 
description logics also allows FaCT to be used as a theorem prover for 
the propositional modal logics K, KT, K4 and S4. Empirical tests have 
demonstrated the effectiveness of the optimised implementation and, in 
particular, of the dependency directed backtracking optimisation. 



1 Introduction 

FaCT ^ is a Description Logic (DL) classifier which has been implemented as 
a test-bed for a highly optimised tableaux satisfiability/subsumption testing al- 
gorithm. The underlying logic, ACC'Hp>+, is a superset of the ACC DL, and 
this means that FaCT can be used as a theorem prover for the propositional 
modal logic K(m) (K with multiple modalities) by exploiting the well known 
correspondence between the two logics [17]. Because ACC'Hr+ supports tran- 
sitive relations, FaCT can also be used as a prover for K4(m), and it extends 
the range of logics it can deal with to include KT(j„) and S4(m) by embedding 
formulae in and K4(m) respectively. 

In order to make the FaCT system usable in realistic DL applications, a wide 
range of optimisation techniques are used in the implementation of the ACCHji+ 
satisfiability testing algorithm. Although some of these techniques were designed 
to take advantage of the structure of a DL knowledge base (KB), and the repe- 
titive nature of the satisfiability problems encountered when classifying a KB, 
some of the optimisations are also effective in improving FaCT’s performance 
with respect to single satisfiability problems. 

2 Description Logics and Modal Logics 

Description Logics support the logical description of concepts and roles (rela- 
tionships) and their combination, using a variety of operators, to form more 
complex descriptions. The ACC DL [18] allows descriptions to be formed using 

^ Fast Classification of Terminologies. 

H. de Swart (Ed.): TABLEAUX’98, LNAI 1397, pp. 307-312, 1998. 

© Springer- Verlag Berlin Heidelberg 1998 
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standard logical connectives as well as both universally and existentially quanti- 
fied relational operators: if C is a concept and i? is a role then an ACC concept 
expression is of the form C | T | _L | ~^C \ CUD \ CUD \ 3R.C \ WR-C. A Tarski 
style model theoretic semantics is used to interpret expressions [3]. 

Table 1 shows how propositional K(^) formulae correspond to ACC concept 
expressions. Note that the modal operators □ and 0 correspond to 3R.C and 
yR.C expressions, with different roles corresponding to distinct modalities or 
accessibility relations. Standard modal K (K (i)) has only one modality, so 
modal K formulae correspond to ACC concept expressions containing a single 
role. The correspondence can be extended to simply by making all roles 

transitive. 

Table 1. The correspondence between modal K(j„) and ACC 



K(m) 


ACC 


K(m) 


ACC 


True 


T 


False 


T 


4> 


C 


-.0 


—>C 


(j) /\ip 


cnD 


0 V 


CUD 


Ui4> 


'iRi.C 


Oi0 


3Ri.C 



FaCT also supports KT(m) and S4(m) by embedding formulae in K(rn) and 
K4(m): Di(j) becomes (j) A Di<p and 0i</> becomes (j) V 

3 The A.CC'Hr+ Tableaux Algorithm 

The tableau algorithm for ACCHji^ is extended from an algorithm for the 
A£C/j+ DL described in [16]. The full algorithm, along with a proof of its so- 
undness and correctness, is given in [14]. 

The main features of the algorithm are: 

1. it uses a “single pass” tableau construction and search method as is usual 
in DL tableaux algorithms where logics generally have the finite model pro- 
perty; 

2. transitive roles are dealt with simply by propagating □i(/> terms along i 
relations; 

3. termination is ensured by “blocking” — checking for cycles in the tableau 
construction [7,1]. 

4 Optimisations 

To improve the performance of the ACCT-Lfi+ satisfiability testing algorithm, a 
range of optimisations have been employed. These include lexical normalisation 
and encoding, semantic branching search and dependency directed backtracking. 
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4.1 Normalisation and Encoding 

In DL terminologies, large and complex concepts are seldom described monolit- 
hically, but are built up from a hierarchy of named concepts whose descriptions 
are less complex. The tableaux algorithm can take advantage of this structure by 
trying to find contradictions between concept names before substituting them 
with their definitions and continuing with the tableau expansion: we will call this 
strategy lazy unfolding. In fact it has been shown (in the Kris system) that a 
significant improvement in performance can be obtained simply by not deleting 
names when they are lazily unfolded [2]. This is because obvious contradictions 
can often be detected earlier by comparing names rather than unfolded definiti- 
ons. 

FaCT takes this optimisation to its logical conclusion by lexically normalising 
and encoding all formulae and, recursively, their sub-formulae, so that: 

1. All formulae are named; e.g., A (p) would be encoded as where 
d> = (f> A (fi. 

2. All formulae are in a standard form; e.g., all 0 formulae are converted to □ 
formulae, so would be normalised to -■□i-if/). The encoded sub-formulae 
in conjunctions and disjunctions are also sorted. 

Adding normalisation (step 2) allows lexically equivalent formulae to be re- 
cognised and identically encoded; it can also lead to the detection of formulae 
which are trivially satisfiable or unsatisfiable. 

4.2 Semantic Branching Search 

Standard tableaux algorithms use an inherently inefficient search technique for 
the non-deterministic expansion of disjunctive formulae — they choose an unex- 
panded disjunction and check the different tableaux obtained by adding each 
of the disjuncts [11]. As the alternative branches of the search are not disjoint, 
there is nothing to prevent the recurrence of unsatisfiable disjuncts. 

FaCT deals with this problem by using a semantic branching technique ad- 
apted from the Davis-Putnam-Logemann-Loveland procedure (DPL) commonly 
used to solve propositional satisfiability (SAT) problems [8,10]. Instead of choo- 
sing an unexpanded disjunction, a single disjunct (j) is chosen from the set of 
unexpanded disjunctions, and the two possible tableaux obtained by adding eit- 
her (j) or -i(j) are then searched. 

During the DPL search, FaCT also performs boolean constraint propaga- 
tion (BCP) [9], a technique which maximises deterministic expansion, and thus 
pruning of the search via contradiction detection, before performing non-de- 
terministic expansion. BCP works by deterministically expanding disjunctions 
which present only one expansion possibility, and detecting a contradiction when 
there is a disjunction which no longer has any expansion possibilities. In effect, 
BCP applies the inference rule to disjunctive formulae encountered in 

the tableau expansion, or in other words, performs some localised propositional 
resolution. 
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4.3 Dependency Directed Backtracking 

Inherent unsatisfiability concealed in sub-formulae can lead to large amounts of 
unproductive backtracking search known as thrashing. For example, expanding 
the formula (</>i V tpi) A ... A V A ()i{(j) A (p) A could lead to the 

fruitless exploration of 2” possible expansions of {(pi \/ pi) A . . .A {(pn V pn) before 
the inherent unsatisfiability of ()i{(p A p) A is discovered. 

This problem is addressed by adapting a form of dependency directed back- 
tracking called backjumping, which has been used in solving constraint satisfia- 
bility problems [5]. Backjumping works by labeling formulae with a dependency 
set indicating the branching choices on which they depend. When a contradic- 
tion is discovered, the dependency sets of the contradictory formulae can be 
used to identify the most recent branching point where exploring an alternative 
branch might alleviate the cause of the contradiction. The algorithm can then 
jump back over intervening branching points without exploring any alternative 
branches. A similar technique was employed in the HARP theorem prover [15]. 

5 Performance 

FaCT’s performance as a modal logic theorem prover has been tested using both 
randomly generated formulae, a test method described in [12] and derived from 
a widely used procedure for testing SAT decision procedures [10], and a corpus 
of carefully designed benchmark formulae [13]. 

FaCT performs well in tests using randomly generated formulae [14], but 
its advantages are more clearly demonstrated by the benchmark formulae, and 
in particular by the provable formulae.^ This is because the hardness of these 
formulae often derives from hidden unsatisfiability, a phenomenon which rarely 
occurs in the randomly generated formulae where hardness is simply a feature 
of the problem size. Figure 1, for example, shows CPU time plotted against 
problem size for 2 classes of formulae from the K benchmark suite, k-dum-p 
and k-grz-p. FaCT’s performance is compared with that of the Crack DL [6], 
the KSAT theorem prover [11] and the Kris DL [4]. The performance of 

FaCT with the backjumping optimisation disabled is also shown, indicated in 
the graphs by FaCT*. All the systems use compiled Lisp code (Allegro CL 4.3), 
and the tests were performed on a Sun Ultra 1 with a 147 MHz CPU and 64MB 
of RAM. 

It can be seen from the graphs that FaCT not only outperforms the other 
systems, but that it exhibits a completely different qualitative performance: so- 
lution times for all the other systems increase exponentially with increasing 
formula size, whereas those for FaCT increase only very slowly. Extrapolating 
the results for the other systems suggests that FaCT would be several orders 
of magnitude faster for the largest problems in the test sets. The results for 
FaCT* demonstrate that, for these formulae, backjumping accounts for FaCT’s 
performance advantage. 

^ Note that a formula is proved by showing that its negation is unsatisfiable. 
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6 Conclusion 

Although it was designed for subsumption testing in a DL classifier, FaCT’s 
optimised A£C'Hr+ satisfiability testing algorithm also performs well as a pro- 
positional modal logic theorem prover, and enables FaCT to outperform the 
other systems with which it has been compared. Backjumping has been shown 
to be particularly effective, changing both the quantitative and the qualitative 
performance of the algorithm for some classes of hard unsatisfiable formulae. 
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Abstract. Automated proof search can be easily implemented in logic 
programming languages. We demonstrate the technique of success con- 
tinuations, which provides an equally simple method for encoding proof 
search in imperative programming languages. This technique is exempli- 
fied by developing an interpreter for the calculus Clip in the language 
Pizza. 

Keywords: Success Continuations, Clip, Pizza 



1 Introduction 

A sequent-calculus formulation of a logic is a convenient starting-point for au- 
tomating proof search because the corresponding inference rules are ‘local’ ope- 
rations on proofs. A sequent can be proved by applying inference rules until one 
reaches axioms; or can make no further progress in which case one must backtrack 
or even abandon the search. This proof method is a simple depth-first strategy; 
it is preferred over a less efficient breadth-first strategy. However, this method 
requires the mechanism of choice points in order to facilitate the backtracking. 
Logic programming languages provide substantial support for depth-first proof 
search and therefore simplify considerably the implementation of a proof se- 
arch engine. Unfortunately these languages have a rather limited support for 
user interfaces, which makes them unsuitable for larger applications. Imperative 
programming languages, on the other hand, provide a rich environment for user 
interfaces, but seem to need a significant overhead of code for an implementation 
of a proof search engine. We illustrate in the paper an implementation technique 
using success continuations which provides a simple encoding of proof search. 
The technique is not new: it was introduced in [Car84] with a rather technical 
illustration in LISP. Later an excellent paper [EP91] appeared which implements 
a full-fledged interpreter for AProlog in SML. 

In the paper we focus on intuitionistic logic, for which Gentzen’s calculus LJ 
is a standard formalisation. Unfortunately a proof method for LJ using a depth- 
first search strategy cannot guarantee termination. Some modifications can be 
made to the inference rules of LJ without loss of soundness and completeness. 
As a result an efficient depth-first proof search procedure can be designed for the 
propositional fragment of intuitionistic logic. The name G4ip has been assigned 
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Fig. 1. The Inference Rules of G4ip. 



to the corresponding calculus in [TS96]. This calculus is also known as LJT 
which has been studied thoroughly in [Dyc92]. The inference rules of G4ip are 
given in Fig. 1. G4ip has the pleasant property that a depth-first proof search 
does not loop and that it is sound and complete in terms of provable theorems. 

In the paper we demonstrate the implementation technique using the im- 
perative programming language Pizza. Pizza is a strict extension of the object- 
oriented programming language Java such that Pizza programs can be translated 
into Java code or can be compiled into ordinary Java Byte Gode (see [OW97] 
for a technical introduction into Pizza). We make use of the following two new 
language constructs: 

~ higher-order functions, i.e. functions may be passed as parameters or retur- 
ned from methods; 

- class cases and pattern matching: this allows much simpler and more readable 
code. 

These features are not directly present in J ava, but Pizza makes them accessible 
by translating them into Java. The higher-order functions are essential for our 
implementation. The success continuations are functions passed as parameters 
or returned as values. Pizza provides the programmer with access to the same 
extensive libraries for graphic and network applications as Java. The paper as- 
sumes some familiarity with Java or Pizza. 

2 Design of the Proving Method 

In this section we are concerned with the abstract design of the proof search. 
Each step in the depth-first search is a reversed application of an inference rule. 
The inference rule analyses one formula, called the principal formula, of the se- 
quent being proved. The construction of proofs, however, is not deterministic; 
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it does not determine the choice of the principal formula. All formulae in a se- 
quent are possible candidates and a naive proof method has to explore them 
all. A widely used optimisation is the search for uniform proofs [MNPS91]. Uni- 
form proofs are constrained on the choice of the principal formula, i.e., whenever 
sequents have non-atomic goal formulae then only those inference rules which 
analyse these goal formulae are chosen. This optimised search strategy can be 
employed to logics for which uniform proofs are complete. However for G4ip, 
this optimisation cannot be made. For example, the sequent pWqt-pWq has only 
one proof which is non-uniform. Therefore, we shall implement a proof method 
which first enumerates all formulae from the left-hand side of the sequent as 
being principal and applies corresponding left rules. Subsequently the goal for- 
mula is chosen and a right rule is applied. The sequents of G4ip are specified 
with multisets of formulae on the left-hand side. Accordingly, the enumeration of 
formulae as being principal can be done in any order. We have avoided making 
some optimisations in favour of a clear illustration of the success continuation 
technique. A AProlog implementation of the outlined proof method has been 
provided in order to compare the technique of success continuations and more 
traditional implementations using logic programming (see Sect. 5). A similar im- 
plementation was presented in [HM94] using Lolli, a logic programming language 
based on linear logic. This implementation differs from ours in the inactive parts 
of the sequents (i.e. F) which are treated implicitly. 



3 The Representation of Formulae and Sequents 

Amongst the new language features of Pizza are class cases and pattern mat- 
ching, which provide a very pleasant syntax for algebraic data types. The for- 
mulae of G4ip are specified by the following grammar: 

F ::= false \ A \ FkF \ FWF \ FdF 

(where A is taken from a set of atomic formulae) . The class cases allow a straight- 
forward implementation of this specification; it is analogous to the SML imple- 
mentation of AProlog’s formulae in [EP91]. The class of formulae is given below. 
On the right-hand side two examples illustrate the use of this class: 

public class Form { 
case FalseO; 
case AtmCString c) ; 
case And(Form cl, Form c2) ; 
case Or (Form cl, Form c2) ; 
case Imp(Form cl, Form c2) ; 

} 

The class cases of Pizza also support an implementation of formulae specified by 
a mutually recursive grammar. This is required, for example, when implementing 
hereditary Harrop formulae. 



pDp is represented as: 
Imp(Atm("p") ,Atm("p") ) 

a\/{aZ) false) is represented as: 
Or (Atm ("a") , Imp ("a" , False ()) ) 
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The sequents of G4ip, which have the form F \-G, are represented by means 
of the class below. The left-hand sides are specified by multisets of formulae. 
Therefore, we do not need to worry about the order in which the formulae occur. 

public class Sequent { 

Form G; 

Context Gamma; 

public Sequent (Context _Gamma, Form _G) {...} 

} 

We have a constructor for generating new sequents during proof search. Context 
is a class which represents multisets; it is a simple extension of the class Vector 
available in the Java libraries. Context provides methods for adding elements 
to a multiset (add), taking out elements from a multiset (removeElement) and 
testing the membership of an element in a multiset (includes). 

4 The Implementation of the Proof Search 

In a first attempt we could implement the choice of a principal formula and the 
application of an inference rule in a recursive style. Suppose we have a method 
prove. This method receives a sequent , Fn-i Fn as its only argument. 

In prove we could enumerate all formulae of the sequent as being principal and 
apply a corresponding inference rule, say Ri. This produces for each T) some 
new sequents to be proved: 



Premisei . . . Premisem „ 

F'^ F 1 I- F 

We perform prove again by calling it recursively with Premisei to Premisem as 
arguments. However this simple method intermingles the separate concepts of 
proof obligations (which must be proved) and choice points (which can be tried 
out). To make this first attempt work we need to make some non-trivial modi- 
fications. A simpler method is to add another argument to the method prove. 
This additional argument will be an anonymous function, which is permitted 
by Pizza. The method prove is now of the form prove(sequent,sc). Somewhat 
simplified the first argument is the leftmost premise (Premisei) and the second 
argument sc, which is the success continuation, represents the other proof obli- 
gations (Premisc 2 to Premisem)- In case we succeed in proving the first premise 
we attempt to prove the other premises. 

The inference rules of G4ip fall into three groups: inference rules with a single 
premise, inference rules with two premises and inference rules without premises 
(e.g. Axiom). Suppose we have called prove with a sequent s and a success 
continuation sc. The inference rules of the first group manipulate s obtaining s' 
and call prove again with the new sequent s' and the current success continuation 
sc (Steps 2-3 and 4-5 in Fig. 2). The inference rules of the second group have 
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Fig. 2. An Example for the Technique of Success Continuations. 



two premises, si and S 2 - These rules call prove with si and the new success 
continuation prove(s 2 ,sc) (Step 1-2 in Fig. 2). The third group of inference rules 
only invoke the success continuation if the rule is applicable (Steps 3-4 and 5-6 
in Fig. 2). 

We are going to give a detailed description of the code for the rules: &-L, 
V-Ri, V-L and Axiom. For lack of space the code of the other rules is omitted. 
The method prove enumerates all formulae as being principal and two switch 
statements select a corresponding rule depending on the form and the occurrence 
of the principal formula. The &-L rule is in the first group; it modifies the sequent 
being proved and calls prove again with the current success continuation. The 
code is as follows:^ 

case And(Form B, Form C) : //&-L 

proveCnew Sequent(Gaiiraia.add(B,C) ,G) ,sc) ; break; 

The V-Ri rule is an exception in the first group. It breaks up a goal formula of 
the form R 1 VR 2 smd proceeds with one of its components. Since we do not know 
in advance which component leads to a proof we have to try both. Therefore 
this rule acts as a choice point, which is encoded by a recursive call of prove for 
each case. 

case OrCForm Bl.Form B2) : //V-Ri 

proveCnew Sequent(Gaiiraia,Bl) ,sc) ; 
proveCnew SequentCGaiiraia,B2) ,sc) ; break; 

The V-L rule falls into the second group where the current success continuation 
is modified. It calls prove with the first premise {B,F i-G) and wraps up the 
success continuation with the new proof obligation (C, T 1 - G) . The construction 
fun()->void { . . .} defines an anonymous function: the new success continua- 
tion. In case the sequent B,F \-G can be proved, this function is invoked. 

^ Gamma stands for the multiset of formulae on the left-hand side of a sequent excluding 
the principal formula; G stands for the goal formula of a sequent; B and C stand for 
the two components of the principal formula. 
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case Or(Form B,Form C) : //V-L 

proveCnew Sequent (Gamma. add (B) ,G) , 

fun()->void {proveCnew Sequent (Gamma. add(C) ,G) , sc) ; } 

) ; break 

The Axiom rule falls into the third group. It first checks if the principal formula 
(which is an atom) matches with the goal formula and then invokes the current 
success continuation sc in order to prove all remaining proof obligations. 

case AtmCString c) : //Axiom 

if (G instanceof Atm) { if (G . c . compareTo(c) == 0) { sc(); } 

} break; 

The proof search is started with an initial success continuation is (cf. Fig. 2). 
This initial success continuation is invoked when a proof has been found. In 
this case we want to give some response to the user. An example for the initial 
success continuation is could be as follows: 

public void initial_sc() { System, out .printlnC'Provable !") ; } 

Suppose we attempt to start the proof search with prove(p,pi-p,is). We would 
find that the prover responds twice with "Provable ! " because it finds two proofs. 
In our implementation this problem is avoided by encoding the proof search as a 
thread. Whenever a proof is found, the initial success continuation displays the 
proof and suspends the thread. The user can decide to resume with the proof 
search or abandon the search. 



5 Conclusion 

We have adapted the technique of success continuations presented in [Car84] and 
[EP91] and provided an implementation of G4ip in the imperative programming 
language Pizza. This imperative language provides substantial support for user 
interfaces and network applications — more than current logic programming lan- 
guages. Our implementation of G4ip cannot be considered as optimal in terms 
of speed. A much more efficient (but less clear) proof-search algorithm for G4ip 
has been implemented by Dyckhoff in Prolog. Similar ideas could be encoded in 
our Pizza implementation; but our point was not the efficiency but the clarity 
of the implementation using success continuations. The technique is applicable 
wherever backtracking is required. We compared the code of our implementa- 
tion with a similar implementation of the naive proving strategy in AProlog: the 
ratio of code is approximately 2 to 1. This result is partly due to the fact that 
we had to implement a class for multisets. In a future version of Java, we could 
have accessed a package in the library. The technique of success continuation 
can also be applied to a first-order calculus as shown in [EP91], but the required 
mechanism of substitution needs to be implemented separately. 
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The code of the implementations and some accompanying information are 
available under the address http : / /www . cl . cam . ac . uk/~cu200/Prover/. It in- 
cludes an applet which can be executed on a Java-capable browser. 
Acknowledgements: I am very grateful for Dr Roy Dyckhoff’s constant en- 
couragement and many comments on my work. I thank Dr Gavin Bierman who 
helped me to test the prover applet and commented on the paper. The work was 
supported by a scholarship from the German Academic Exchange Service. 
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Abstract. Automated theorem provers use search strategies. Unfortu- 
nately, there is no unique strategy which is uniformly successful on all 
problems. A combination of more than one strategy increases the chances 
of success. Limitations of resources such as time or the number of avai- 
lable processors enforce efficient use of these resources by partitioning 
them adequately among the involved strategies. One of the problems to 
be solved in the context of resource scheduling is an optimization pro- 
blem. We describe this problem and discuss the prototypical theorem 
prover p-SETHEO. 



Introduction. A search problem is typically solved by applying a uniform se- 
arch procedure. In automated deduction, different search strategies may have a 
strongly different behavior on a given problem. In general, it cannot be decided 
in advance which strategy is the best for a given problem. This motivates the 
competitive use of different strategies. In order to be successful with such an 
approach, the set of strategies must satisfy the following two intuitively given 
conditions. 

1. For a given set of problems, the function f{t) = where s{t) is the set of 

problems solved within time t is sub- linear, i.e., with each new time interval 
less new problems are solved. 

2. The strategies must be complementary w.r.t. a given problem set and a 
given time limit, i.e., they have to solve different sets of problems, or, at 
least, the sets of solved problems (w.r.t. a given problem set) must differ 
“significantly” . 

If both conditions are satisfied, then a competitive use of different strategies 
can be more successful than the best single strategy. The first condition is typi- 
cally satisfied in automated theorem proving whereas the second condition has 
not been in the focus of automated deduction research so far. The success of 
p-SETHEO shows that it is worthwhile to develop methods for achieving com- 
plementary strategies, which is left to future research. 

Related Approaches. The method introduced here differs significantly from 
a partitioning of the search space which is done, for instance, in PARTHEO [8]. 

* This work is supported by the Deutsche Forschungsgemeinschaft within the Sonder- 
forschungsbereich 342, subproject A5. 
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Partitioning guarantees that no part of the search space is explored more than 
once. However, partitioning has the main disadvantage that completeness can 
only be guaranteed if all agents are reliable. In contrast to partitioning, strategy 
parallelism retains completeness as long as one agent is reliable. 

A combination of different strategies is used, e.g., within the Team Work con- 
cept of DISCOUNT [I], where a combination of several completion strategies for 
unit equality problems periodically exchanges intermediate results. The clause 
diffusion concept of AQUARIUS [2] uses a resolution based prover with coope- 
rating agents on splitted databases. A third approach is the Nagging concept [6]. 
Here, dependent subtasks will be sent by a master process to the naggers, which 
try to solve them and report on their success. The results will be integrated into 
the main proof attempt. 

Strategy Parallelism. The selection of more than one search strategy in combi- 
nation with techniques to partition the available resources (time and processors) 
with respect to the actual task defines a new parallelization method, which we 
call strategy parallelism. (Distributed) competitive agents traverse similar search 
spaces, at least in different order. Whenever an agent finds a solution, all other 
agents are stopped. With this method it is intended that the strategies traverse 
the search space in such a manner that, in practice, the repeated consideration 
of the same parts can be avoided. In the simple form of strategy parallelism 
which is discussed here, there is no interaction between the competitive agents. 
This enables the combination of even completely different search paradigms, for 
example, resolution and model elimination. 

An Optimization Problem. A combination of strategies increases the chances 
of success. Limitations of resources such as time or processors enforce efficient use 
of these resources by partitioning them adequately among the involved strategies. 
This leads to the following strategy allocation problem. 

GIVEN a set F = {/i,. ..,/«} of objects (formulae or training problems), a 
set S = {si, . . . , Sm} of functions (admissible strategies) : F — >• N+ U {oo}^ 
(1 < i < to), and nonnegative integers t (time limit) and p (number of available 
processors). 

FIND ordered pairs (ti,Pi), . . . , {tm,Pm) (strategy i will be scheduled for time ti 
on processor pi) of nonnegative integers such that 

m 

^ ti < t for all j = 1, . . . ,p, and | U {/ • ■s*(/) ^ I is maximal^, i.e., 

{i:pi=j} i=l 

assign resources to the strategies such that a maximal number of problems from 
the training set can be solved. The decision variant^ of the problem is in NP: 
a given satisfying allocation can be verified in polynomial time. Unfortunately, 
the decision variant of the problem is already strongly NP-complete'^ for a single 

^ 00 is added because of the strategy Si may be incomplete, or the problem cannot be 
solved in the given time. 

^ s{f) is the time the strategy s needs to solve the formula /. 

® Guess a resource allocation such that more than k problems can be solved. 
Recognizable by providing a polynomial reduction of the minimum cover problem. 




322 



A. Wolf 



processor. Therefore, in practice the determination of an optimal solution for the 
full problem will be not possible, at least not on larger sets and with classical 
methods. One reasonable possibility is to use a gradient procedure. This indeed 
was done to select p-SETHEO’s strategies. 

Implementation. In order to investigate the potential of strategy parallelism 
in practice, we have evaluated the method on different strategies of the sequen- 
tial model elimination prover SETHEO [5]. We implemented the PVM based 
[4] p-SETHEO system. p-SETHEO can be configured very easily by an ASCII 
file containing information about the usable hosts, the maximal number of si- 
multaneously running strategies per processor, and the resource allocation for 
the selected strategies. Currently, all contained strategies are variants of SE- 
THEO which have been obtained by modifying the parameter settings. Because 
of the generic layout of the p-SETHEO controlling mechanism, new strategies 
and even new theorem provers can be integrated very easily. The implementa- 
tion uses PERL, PVM, C, and shell tools in approximately 1000 lines of code 
(excluding SETHEO). The parallelization model of p-SETHEO works as follows: 

1. Select a set of triples of strategies, computation times, and assigned proces- 
sors. 

2. Perform the preprocessing steps needed for all selected strategies (reordering, 
equality treatment, lemma generation etc.) 

3. Start all prover strategies. The first prover finding a proof stops all other 
processes. 

Figure 1 shows the parallel flow of processes for an example p-SETHEO confi- 
guration. 




Fig. 1. Parallelization model of p-SETHEO (example). 
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Experimental Results. A simple TPTP configuration. A proof for the perfor- 
mance of the strategy parallel approach is the combination of four arbitrarily 
selected strategies on four processors: iterative deepening on tableau depth with 
and without folding-up, and the iterative deepening with the weighted depth 
bound also with and without folding-up^ . The result of this experiment is shown 
in Table 1. The best single strategy solves within 310% of time only 70% of 



configuration 


solutions % 


time % 


work % 


work/solution % 


-dr 


151 66 


106128 377 


106128 94 


703 143 


-dr with -foldup 


159 69 


91561 325 


91561 81 


576 118 


-wdr 


122 53 


128587 456 


128587 114 


1054 215 


-wdr with -foldup 


161 70 


87321 310 


87321 78 


542 111 


p-SETHEO 


230 100 


28168 100 


112672 100 


490 100 



Table 1. Combination of four strategies on a TPTP subset: the 230 tasks from TPTP, 
which can be solved by at least one strategy within 1000 seconds but which are solved by 
at most two strategies within less than 20 seconds. p-SETHEO combines all strategies. 
Time and work are given in seconds. The time limit is 1000 seconds. 



the problems p-SETHEO solves. If we consider parallel work instead of time, 
p-SETHEO solves significantly more problems with nearly the same costs; so 
the best single strategy needs 111% of the work per solution p-SETHEO needs. 

Application of the strategy allocation problem. As training set F we selected 
the 420 problems in clausal form of the TPTP problem library [7] that have 
been used for the CADE-14 theorem prover competition. For a given set of 20 
strategies S (parameter settings of SETHEO), the solution times s(/), for any 
f G F, s G S were computed with a time limit T of 300 seconds per problem. 
An approximative solution of the mentioned strategy allocation problem for one 
processor and 300 seconds CPU time leads to a strategy schedule, which was 
tested on the whole TPTP and compared with the best single strategy. The 
result is shown in Figure 2. 

Assessment. Many issues of importance for strategy parallelism have not been 
discussed here: How can a set of strategies be obtained that solve as many 
problems as fast as possible and have sets of solved problems that differ as much 
as possible? Often, strategies are only successful for a certain class of problems. 
For example, unit equality problems need different treatment than problems 
without equality. If such features can be identified, the selection of strategies can 
be made more specific and hence more successful. The success of the selected 
strategies depends on the given training set. How do we obtain a training set 
which is representative for the considered domain of problems? The number of 
sensible strategies which are successful and differ as much as possible seems to be 
bounded. This restricts the scalability of strategy parallelism to large platforms 

® For details on the parameter settings see [5]. 
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time 



best single strategy 



Fig. 2. In the left plot, the • marks the number of problems solved by the best single 
strategy within a certain time, the * shows the problems solved by p-SETHEO. The 
right plot compares proof times of p-SETHEO with the best single strategy. The points 
lying underneath the dotted line represent all problems that p-SETHEO solves in less 
time than the best single strategy. 



of parallel processors. Can we find a systematic method for producing as many 
successful and differing strategies as we want? Probably such a method must 
contain randomized elements. 

We have investigated the problems and perspectives of strategy parallelism. 
As our experiments show, even with a very simple strategy allocation algorithm 
and a non-optimized set of admissible strategies, one can significantly increase 
the performance of theorem provers. While, in theorem proving, often the system 
developer or advanced user can tune his system to a given problem by using his 
experience, this is not possible in practice if the theorem prover is integrated into 
a larger proof environment like ILF [3] . In this case the configuration should be 
done automatically, and strategy parallelism is a good alternative. 
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